Password bug exposed shoppers’ credit cards in eBay ProStores

http://www.ecommercebytes.com/cab/abn/y11/m06/i06/images/ebay_prostores.jpg 

Security research at Infosec claims he had found a serious bug in eBay ProStores that enabled him to see the cradit card details of the customers in plain text. Mark Litchfield, an infosec pro at Securatary, told he discovered a flaw in eBay-owned ProStores that not only opened the door to store account hijackers, but also leaked “full access to all their customers PII [Personally identifiable information] as well as their full credit information in clear text.”

 ProStores hosts online shops for eBay sellers to use to flog their stuff, and provides a wizard for creating the traders’ websites.

 Mark Litchfield said it was a very serious bug. I had reported it to eBay in Feb but it took them almost two months to fix it on March 20. He said that in order to gain control of a victim’s eBay ProStores site, the attacker must create her own ProStores account – there’s a handy 30-day free trial available – and then use that as a springboard to infiltrate the victim’s web bazaar.

 “In short, it was possible to change the password of another administrator, then you could log in as that user with full administrative access to the store,” Litchfied claimed. ” With this attack I guess I was more shocked than anything to find the credit card information being displayed back in clear text. If people are buying things online, why would the full card information need to returned in clear text to the administrator?”

View full post on Who Got Hacked – Latest Hacking News and Security Updates