SCN: Passwords

Steve steve at advocate.net
Wed Apr 4 22:50:53 PDT 2001 

x-no-archive: yes

=========================

How eBay and Yahoo compromise your private data

(David Berlind, ZDNet)---As of this writing, both eBay and Yahoo 
have inconsistently deployed security features to their sites that 
expose user IDs and passwords to prying eyes in shared network 
settings. That means they're compromising the confidentiality of 
personal information the average user probably thinks is protected.  

Yahoo and eBay allow users to personalize their sites - and it's fair 
to say most users would prefer to keep their personal settings 
private. For this reason, the sites offer an extra measure of security 
by encrypting log-in information before passing it across the 
network. 

Both eBay and Yahoo offer a special, secure log-on page. However, 
to access other services or features on these sites, users have to 
provide their user ID and password again. Aside from the usability 
issue of having to log in twice, the real problem here is that there is 
no option to log in securely that second time around.  

The end result is that users who are accessing these services from 
a shared network segment (which is most often the case in 
business, academic, or government settings), are having their user 
IDs and passwords transmitted across the LAN in clear text.

eBay's transgression is slightly worse than Yahoo's, in that the 
information must be supplied a second time even though the user is 
engaged primarily in the same basic task - the auction process. 
Even if you're already logged in, you have to re-enter your ID and 
password to contact another eBay user. The page where this 
information is requested does not offer the option to provide this 
information securely (as eBay's main log-in page does).  

Yahoo's oversight occurs with a completely separate, yet popular 
service - Yahoo! Messenger. Even if you're logged into Yahoo 
securely, you have to re-enter your user ID and password to access 
Yahoo! Messenger. However, like eBay, Yahoo's security features 
are inconsistently applied. The Yahoo! Messenger client transmits 
your personal information in clear text across the network.  

I tested both scenarios using one of the many protocol analyzers 
that can be downloaded for free on either of our sister download 
sites.  

In my tests, I decoded my own PC's packets as I logged in securely 
to both eBay and Yahoo, and then accessed the features I 
suspected were transmitting my personal information in clear text. 
Sure enough, there they were - my user IDs and passwords as clear 
as day. Even worse, in both cases, they not only appeared one after 
the other, but they were also clearly identified with labels like 
"userid=" and "password=".

Kevin Pursglove, an eBay spokesperson, claims that "making eBay 
entirely SSL has been discussed, but the decision was made to 
leave that up to the user." Pursglove added that this option is 
available in the example I provided earlier and that all confidential 
information is SSL-protected.  

Hogwash. Pursglove must be looking at a different version of eBay 
than I am, because when I try to contact another eBay user and am 
asked for my ID and password, no SSL log-in option is provided. 
That's even after I set my preferences to remember that I am 
already logged in (which supposedly negates the need to re-enter ID 
and password). Pursglove did not return calls further seeking 
clarification.  

As for Yahoo, in a statement that makes it sound as though user 
privacy is not a priority, Brian Park, Yahoo's communications 
services senior producer, acknowledged the problem, saying, "We 
are developing a secure log-in option for future versions of 
Messenger to address this issue."  

Here's a hint to those of you doing business on the Web and in 
corporate IT. There is no higher priority than protecting the 
confidential information of your users. These are egregious 
oversights on the part of eBay and Yahoo, and you need to do all 
you can to keep from repeating these mistakes.  

At the very least, you should have periodic quality-assurance 
reviews of all secured entrances to make sure that the user 
experience is consistent. With so many users now logging in over 
high-speed connections, users won't notice performance hits if they 
choose to log in securely. For that reason, it makes sense to offer 
the secure log-in option wherever and whenever possible, 
regardless of the application.  

A rolling set of best practices should be thoroughly documented and 
updated continually to reflect changes in technology (for example, 
wireless access), the behavior patterns of users, ever-changing 
legislation, trends among your competitors, and the general pulse in 
the IT sector. IT managers should meet regularly to walk through 
applications, head-to-toe, just to double-check that some newly 
introduced feature hasn't resulted in a back-door violation.  

Finally, if you have any responsibility for deploying applications 
where security is a concern - Web based or not - don't be afraid to 
test all the doors yourself and speak up when you find something 
that doesn't add up. Surely, there are enough people at eBay and 
Yahoo who could have exercised their common sense and said 
something. Sooner or later, if you don't speak up, someone else 
will. Like the press.  


* * * * * * * * * * * * * *  From the Listowner  * * * * * * * * * * * *
.	To unsubscribe from this list, send a message to:
majordomo at scn.org		In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * *     http://www.scn.org/volunteers/scn-l/     * * * * * * *

More information about the scn mailing list