eBay, Yahoo's security compromise user data
As of the writing of this column, both eBay and Yahoo have inconsistently deployed security features to their sites that expose user IDs and passwords to prying eyes in shared network settings. That means they're compromising the confidentiality of personal information the average user probably thinks is protected.
In this story: |
Yahoo and eBay allow users to personalize their sites--and it's fair to say most users would prefer to keep their personal settings private. For this reason, the sites offer an extra measure of security by encrypting log-in information before passing it across the network. Both eBay and Yahoo offer a special, secure log-on page. However, to access other services or features on these sites, users have to provide their user ID and password again. Aside from the usability issue of having to log in twice, the real problem here is that there is no option to log in securely that second time around.
The end result is that, if users are accessing these services from a shared network segment (which is most often the case in business, academic, or government settings), their user IDs and passwords are transmitted across the LAN in clear text - a form all too inviting for prying eyes.
eBay's transgression is slightly worse than Yahoo's in that the information must be supplied a second time even though the user is engaged primarily in the same basic task - the auction process. Even if you're already logged in, you have to re-enter your ID and password to contact another eBay user. The page where this information is requested does not offer the option to provide this information securely (as eBay's main log-in page does).
Yahoo's oversight occurs with a completely separate, yet popular service - Yahoo! Messenger. Even if you're logged in to Yahoo securely, you have to re-enter your user ID and password to access Yahoo! Messenger. However, like eBay, Yahoo's security features are inconsistently applied. The Yahoo! Messenger client transmits your personal information in clear text across the network.
I tested both scenarios using one of the many protocol analyzers that can be downloaded for free on either of our sister download sites
In the right hands, a protocol analyzer is most often used to graph performance statistics or isolate a misbehaving node. But in the hands of a nosy co-worker, it can be used to intercept packets - the small envelopes of data that computers transmit to each other over the network and Internet - and read their contents. Note that nothing prohibits the person sitting in the cube next to you from downloading this software, as I did.
In my tests, I decoded my own PC's packets as I logged in securely to both eBay and Yahoo, and then accessed the features I suspected were transmitting my personal information in clear text. Sure enough, there they were--my user IDs and passwords as clear as day. Even worse, in both cases, they not only appeared one after the other, but they were also clearly identified with labels like "userid=" and "password=". It was like a giant road sign saying, "David Berlind's Passwords: This Way."
Kevin Pursglove, an eBay spokesperson, claims that "making eBay entirely SSL has been discussed, but the decision was made to leave that up to the user." Pursglove added that this option is available in the example I provided earlier and that all confidential information is SSL-protected.
Hogwash. Pursglove must be looking at a different version of eBay than I am because when I try to contact another eBay user and am asked for my ID and password, no SSL log-in option is provided. That's even after I set my preferences to remember that I am already logged in (which supposedly negates the need to re-enter ID and password). Once I use this feature and my ID and password are transmitted across the network, anyone with a protocol analyzer can view that information and gain total access to my account and the confidential information tied to it. Pursglove did not return calls further seeking clarification.
As for Yahoo, in a statement that makes it sound as though user privacy is not a priority, Brian Park, Yahoo's communications services senior producer, acknowledged the problem, saying, "We are developing a secure log-in option for future versions of Messenger to address this issue."
Here's a hint to those of you doing business on the Web and in corporate IT. There is no higher priority than protecting the confidential information of your users. These are egregious oversights on the part of eBay and Yahoo and you need to do all you can from repeating these mistakes.
At the very least, you should have periodic quality-assurance reviews of all secured "entrances" to make sure that the user experience is consistent. With so many users now logging in over high-speed connections, users won't notice performance hits if they choose to log in securely. For that reason, it makes sense to offer the secure log-in option wherever and whenever possible, regardless of the application.
A rolling set of best practices should be thoroughly documented and updated continually to reflect changes in technology (for example, wireless access), the behavior patterns of users, ever-changing legislation, trends among your competitors, and the general pulse in the IT sector. IT managers should meet regularly to walk through applications, head-to-toe, just to double-check that some newly introduced feature hasn't resulted in a "back-door" violation.
Finally, if you have any responsibility for deploying applications where security is a concern - Web-based or not - don't be afraid to test all the doors yourself and speak up when you find something that doesn't add up.
Surely, there are enough people at eBay and Yahoo who could have exercised their common sense and said something. Sooner or later, if you don't speak up, someone else will. Like the press.