A software flaw in eBay message boards exposed some private information about eBay users, the company confirmed on Friday. The leak, which occured on Wednesday evening, exposed a complaint database that eBay members use to “snitch” on each other for alleged breeches of the auction site’s terms of service.
IN ADDITION to the accidental release of private data such as e-mail addresses, the flaw allowed complaint targets to scan the system and discover who had turned them in, and why.
EBay said some users have been suspended from the message boards for viewing the data. And eBay spokesperson Kevin Pursglove said the company is considering further sanctions.
The security flaw was discovered at 8:30 p.m. on Wednesday by eBay users. One user posted a single URL onto eBay’s messages boards that gave anyone who clicked on it access to the complaint database. Pursglove said the hole was plugged about an hour later.
It’s not clear how many personal records were viewed. Auction watchdog Rosalinda Baldwin said she’s personally seen 60 complaint files, and she suspects many others were copied before the security hole was plugged.
A typical report included a host of information about the author of the message that was in question, including their eBay alias, their e-mail address, their IP address, the number of complaints filed about the message and the eBay alias of the complainer.
EBay’s discussion boards are run by a third-party firm, Liveworld Inc., which didn’t immediately return phone calls.
The popular message boards include a report feature that makes it easy for users to complain about other users.
One target of such a complaint figured out that a tool used by Liveworld’s moderators to track complaints was posted to the Internet, and wasn’t password protected.
The URL for viewing the moderator’s tool quickly made its way onto eBay’s message boards.
One eBay user who viewed the data said visitors to the site could simply edit the URL and see if there were any complaints against any individual eBay user. He looked himself up and discovered there had been 8 complaints filed against him.
“It was a dangerous URL to have out there. A serious spammer could use it to fetch lots of e-mail addresses,” he said.
But the big problem was the fact that you could see “who dropped the dime on you,” the user, who requested anonymity, said. He said he was was suspended after the incident.
“I believe I was suspended for being a witness,” he said.
Baldwin said she thought eBay had suspended users who viewed the data because it was trying to cover up the incident.
“By kicking everybody off the boards, they think it’s going to keep it from getting out into the public,” she said. Discussion of the incident was rampant on a non-eBay message board, Sellyouritem.com, on Thursday and Friday, anyway, she added.
But Pursglove defended the action, saying his company viewed the incident as “unauthorized access,” to eBay data. So far, users who viewed the data have been suspended only from the message boards, not from eBay itself. But that is a possibility, Pursglove said.
“Anyone who took the steps (to view the data) could face possible suspension from eBay,” he said, adding that the firm is also “reviewing appropriate federal and state statutes.”