There is a security flaw in eBay. When two people are logged on to the account from different places, logging out doesn’t log the other party out, or even challenge them for the password. This may not sound like an issue, but when things go wrong, it is. Let’s say your account is hijacked. This is actually pretty common these days, even if you don’t click on dodgy links to spoof sites and avoid the emails that start “We include your name to show..” yet don’t. You see that first sale of a £400 laptop appear in your email, and you react fast.
When this happened to one of our accounts, we logged in, and killed the auctions (both of them) and quickly changed the password. Another auction appeared. We logged out, thinking that this would stop them. But more emails came in! Logging back in, we saw there were now 9 auctions, including a re-listing of one that we had cancelled! So we logged out again, thinking that the ebay computers must notice something weird. We logged in again, and there were even more!
At this point we started to mass-kill the auctions that were fake, then everything stopped as ebay woke up and disabled the account until we confirmed from a link sent to the registered email address. It was a frantic half hour, though.
We find it interesting that this account got hijacked, too. It was dormant, nothing having been listed in about 10 months, and like all our accounts, it had a reasonably secure password. We can only guess how it was breached.
One possible way is that a scammer picked a password, and then tested that password once against a million or so ebay account usernames, to avoid the time-out feature. Doesn’t make sense, though, since it was a pretty random word/number combination. However, if you have several million usernames and you pick a (say) 6 character password, you probably have a fiarly good chance of getting a hit. 36^6 or something to 1. 2.1 billion to 1 against. Base it on a dictonary word, and think about how people tend to change them into more secure passwords, and you can see a far, far higher likelyhood of getting a hit. Still, it seems like a heck of a lot of work, even with a botnet of thousands of different IPs.
Any thoughts?