Report claims that eBay data leak was caused by hole at PayPal
According to the consumer protectionists at falle-internet.de, the recent case of eBay's customer database being illicitly revealed was not caused by a hole at eBay, but rather by a vulnerability at eBay's subsidiary PayPal. Criminals used the data to forge "offers to losing bidders"; those inveigled into buying were then asked to pay immediately by means of Western Union.
The staff at falle-internet.de say they analyzed (German text with screenshots) two of the scripts used by the criminals to read out the data. The main part of the script contained PayPal API calls like the one below (with the line in the original obfuscated):
$url = file_get_contents('http://www.paypal.com/cgi-xxx/
This script then provided the victim's postal code, town of residence, and e-mail address from eBay's database once the buyer had entered its username.
Should these allegations turn out to be true, the situation would be very embarrassing for the online payment service, which purchased a banking license for the EU only two months ago, as this decision made it subject to strict security regulations. It is not clear what the consequences of such a vulnerability would be. In eBay forums, it is rumoured that eBay took responsibility for the problem very quickly and completely once it had been detected in order to protect PayPal. In addition, falle-internet.de wants to know why PayPal has access to eBay data at all; it might constitute a breach of data protection law. eBay's clause relating to the processing of personal data does, however, contain a clause that allows other eBay companies to access customer data for a variety of purposes including support of financial transactions.
- eBay-Sicherheitsleck identifiziert: Datenabruf lief über PayPal, (German text with screenshots) report at falle-internet.de
- Fraudsters abuse eBay customer database, report at heise Security