Vulnerability

    Ebay

Affected

    Ebay

Description

    Richard  Fromm  found  following.   Not  as  bad as not encrypting
    credit card numbers  (they do encrypt  that), but for  some reason
    ebay doesn't bother to encrypt passwords.

    While they're certainly not the only web site doing this, this  is
    a bit more serious than a website where one's password just  holds
    personal preferences.  Listing items for sale or bidding on  items
    on ebay is allegedly entering into a legally binding contract.  So
    if  someone  sniffs  your  password  he/she  has  the  ability  to
    misrepresent  your  identity  in  such   a  way  that  you   could
    potentially be financially liable.

    Richard has  been trying  to get  ebay to  do something about this
    for a month and a half, to no avail.  See

        http://avocado.dhs.org/ebpd/

    for details, including an ebay password sniffer.

Solution

    Ebay now has a link on their  Sign In feature page to sign in  via
    SSL.  It's not the most obvious link.  An easy way to get there:

        - when prompted for your id/password, below the box, click the
          Sign In link
        - when  prompted again  for your  id/password, below  the box,
          click the 'here' link