LFI to RCE via access_log injection

Many #eBay Users No Longer Trust It After the #Database #Breach


Almost half of eBay users have said they are less likely to use the service in the future following its recent database breach.
A poll conducted by Yougov has found that 49 percent of eBay users have lost trust in the service following its data loss, with some users having to wait over a week before they were notified of the hack.
What's more, the survey reveals that just 33 percent of eBay users have changed their passwords following the attack, although 52 percent of those who haven't said that they intend to in the future. The other 12 percent, clearly, just aren't too bothered by the breach.
That could be eBay's fault, however, as the firm sent some users warning emails only this week, despite the breach having been discovered the previous week.
Sent out over the weekend, the email is a message from the firm's president Devin Wenig, who asked users to change their passwords as soon as possible.
"To help ensure customers' trust and security on eBay, I am asking all eBay users to change their passwords," the email read.
ebay-email-uring-users
He explained that this is because of eBay's recent discovery of a cyberattack on its corporate information network, which compromised a database containing eBay user passwords.
"What's important for you to know: We have no evidence that your financial information was accessed or compromised. And your password was encrypted," the email continued.
On Friday, eBay made it easier for users to reset their passwords amid pressure from users complaining of the complex process involved in changing their credentials following a huge data leak, which came first came to light earlier this week.
The website's homepage featured a large banner at the top centre which urges users to reset their passwords, shown below. However, these messages have now disappeared.
ebay-homepage-password-notice
Since the incident was revealed, eBay has been criticised for failing to notify all its customers in a timely fashion and for the confusing process customers have to go through to change their password. However, now it is much easier for users to update their details, with a new "Reset Password" button on the homepage and improved navigation with links on the statement, which pops up when a user's clicks "learn more" on the homepage (below).
Ebay change password notice
News came to light on Thursday that stolen databases claiming to contain personal information of eBay users have made their way online for a pretty sum of 1.45 Bitcoin, or about £450, following the revelation on Wednesday that the auction website had been hacked and login credentials had been stolen.
The hacking came to light when eBay urged its users to change their passwords, admitting to attacks on one of its databases.
The cyber attacks didn't happen recently, though. eBay said that a database containing encrypted passwords and other non-financial data was stolen between late February and early March.
The stolen database appeared on anonymous text file site Pastebin on Thursdayevening, comprising a "full eBay user database dump with 145,312,663 unique records".
However, eBay denied that the Pastebin database was legitimate. Security companies are also keen to point out that it could simply be an attempt by cyber crooks to cash in on the debacle.
Rapid7 global security strategist, Trey Ford, said, "It's not uncommon" for criminals to spot an opportunity in such an attack by offering false credentials for sale.
"This happened with the Livingsocial breach too," he said. "In our initial analysis of the 12,663 credentials offered as a sample of the larger database, we found matches between email addresses and a popular Malaysian web forum, which may point to the true source of these credentials."
"We have no way to confirm how statistically representative the leaked APAC sample is of the broader dataset, or whether this site is the true source."
Despite admitting to the hack, the auction website said there was no evidence of suspicious activity on members' accounts, but still advised users to change their passwords as a precaution.
"After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorised activity for eBay users, and no evidence of any unauthorised access to financial or credit card information, which is stored separately in encrypted formats," the firm said in a statement, talking about itself in third person, perhaps to help distance itself from the problem.
"However, changing passwords is a best practice and will help enhance security for eBay users."
Ebay said it regrets any inconvenience or concern that this password reset might cause its customers, all 128 million of them.
The database included eBay customers' name, encrypted password, email address, physical address, phone number and date of birth, eBay said, but didn't contain financial information or other confidential personal information.
"The compromised employee log-in credentials were first detected about two weeks ago. Extensive forensics subsequently identified the compromised eBay database, resulting in the company's announcement today," the firm added.
All eBay users will be notified via email beginning later today to change their passwords.
"In addition to asking users to change their eBay password, [we are] also encouraging any eBay user who utilised the same password on other sites to change those passwords, too. The same password should never be used across multiple sites or accounts."
Speaking rather angrily in a blog post reacting to the news, Trend Micro VP of security research Rik Ferguson asked eBay several questions about how it could let this happen.
He said, "Effective security is no longer about designing architecture with the aim of keeping the attacker out permanently, that's a pipe dream. If they want to get in, they will get in. Effective security is about accepting the reality of compromise, putting systems and processes in place that mean you discover and react in a timely fashion and crucially that you will make it extremely difficult for the attacker to leave with what they came for. How did you score?"
"You write at the end of [Ebay's] press statement: 'The same password should never be used across multiple sites or accounts.' I agree. I'm going to end my 'statement' with this. Sensitive data especially that which you hold in trust, should always be encrypted, no exceptions."
Malwarebytes also commented on the breach. Chris Boyd, malware intelligence analyst at the firm told, "The company says that access to corporate servers was gained when a small number of employees were compromised. Whilst it’s impossible to say for sure until more detail emerges, this could be achieved as the result of a targeted ‘watering hole’ compromise or someone falling victim to spear phishing or a another form of social engineering.
"These types of attacks aim to get inside pre-identified targets such as companies and other high-value institutions."
"It's important that people listen to eBay and, when notified by email, change their password, as well as updating any other site which uses the same log-in credentials."

Comments