POC – Hacking any eBay Account

Pierluigi Paganini September 22, 2014

THN disclosed details of a critical flaw discovered by the Egyptian researcher ‘Yasser H. Ali’ four months ago, which could be used to hack any eBay account.

The Egyptian security researcher ‘Yasser H. Ali’ four months ago reported to the team of the The Hacker News portal a critical vulnerability in eBay system which could be used by threat actors to hit its users.

The researchers demonstrated to the colleagues at THN the existence of the flaw, but avoided to disclose the process to exploit it for obvious reasons. In May, eBay suffered a major data breach and in the same period security experts discovered three other critical flaws which impacted eBay users.

eBay admitted that the cyber attack has impacted nearly 145 million registered users worldwide due to the violation of company database, in response eBay immediately requested its customers to change their passwords.

Once fixed the flaw, as promised, THN has shared the details of the process explained by Yasser H. Ali and today disclosed it. The flaw discovered by Yasser found could allow hackers to Reset Password of any eBay user account without any user interaction. Ali explained that a potential attacker have to know only the login email ID or username of the victim to compromise its account.


eBay hack


Password reset procedure starts with the redirection of the used to a “password reset” page, where eBay page first generates a random code value as HTML form parameter “reqinput”, which is visible to the attacker as well using Browser’s inspect element tool.

Once the user provides his username and clicks the submit button, eBay generates a second random code, which is known only by the user, and sends the code along with a password reset link to the eBay user with the registered email address.

The user then clicks on the password reset link received via email and will be redirected to an eBay page which asks to the user to submit a new password and its confirmation in order to complete the password reset procedure for his eBay account.

Yasser discovered that instead of using the secret code, the new password HTTP request sends the same respective “reqinput” value that has been generated by eBay when the user clicked on reset password. But the attacker already knows this value an using it could compromise the victim’s account, as demonstrated in a video POC.

eBay hack 2

eBay hack 3

In the video is visible that Ali targets a THN temporary account with email address [email protected], he started the “password reset” procedure taking note for the ‘reqinput’ value from the inspect element.

Once captured the ‘reqinput’ the researcher redirected a new HTTP request to the eBay server at the password reset form action crafted with the “reqinput” value, the new password, the confirm password and password strength parameters.
The vulnerability discovered could be exploited for automated attacks on a large scale, it is just necessary to know valid ebay IDs that could be retrieved obtained from database of accounts breached in May.

Pierluigi Paganini

(Security Affairs – eBay, hacking)

you might also like

leave a comment