[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Subject: IP: ebay sends passwords in the clear
>X-Mailer: exmh version 2.0.2 2/24/98 >Subject: fyi: ebay sends passwords in the clear >To: Dave Farber <farber@cis.upenn.edu>, Phil Agre <pagre@alpha.oac.ucla.edu> >cc: Jeff.Hodges@stanford.edu >Reply-to: Jeff.Hodges@stanford.edu >From: Jeff.Hodges@stanford.edu >Date: Sun, 20 Feb 2000 14:36:56 -0800 > >disclaimer: I have not used Fromm's tool to verify his claims. > >JeffH > >------- Forwarded Message > >Approved-By: aleph1@SECURITYFOCUS.COM >Delivered-To: bugtraq@lists.securityfocus.com >Date: Wed, 16 Feb 2000 11:03:17 -0800 >Reply-To: rfromm@cs.berkeley.edu >Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> >To: BUGTRAQ@SECURITYFOCUS.COM >From: Richard Fromm <rfromm@cs.berkeley.edu> >Subject: ebay sends passwords in the clear > >Not as bad as not encrypting credit card numbers (they do encrypt that), but >for some reason ebay doesn't bother to encrypt passwords. > >While they're certainly not the only web site doing this, I consider this a >bit more serious than a website where one's password just holds personal >preferences. Listing items for sale or bidding on items on ebay is allegedly >entering into a legally binding contract (although I don't know if this has >ever been tested in a court of law). So if someone sniffs my password he/she >has the ability to misrepresent my identity in such a way that I could >potentially be financially liable. > >I've been trying to get ebay to do something about this for a month and a >half, to no avail. See http://avocado.dhs.org/ebpd/ for details, including an >ebay password sniffer. > >- - Richard Fromm >rfromm@cs.berkeley.edu > >------- End of Forwarded Message > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Powered by eList eXpress LLC