By Ron Benvenisti: eBay’s ability to link to off-site Web sites allowing access to data and pictures from outside portals such as Auctiva and others was hijacked to a third-party page designed to steal a user’s credentials.
The “flaw” delivers malware to an unsuspecting victim or redirect users to malicious sites which capture their email, username and password credentials. Although eBay claims the fix was in place the day it was discovered. In my experience with this type of hack, a cross-site scripting exploit, the actual number of usernames, email addresses, and passwords compromised is hard to pin down but typically the records can be very large.
Everyone who uses Amazon’s Kindle Library to store e-books or to downloaded them to a Kindle is vulnerable to this one. Even users who only purchase e-books sold and delivered by Amazon are not safe from this flaw.
This is not the first time Amazon’s “Manage your Kindle” web application, was fixed and then broken. Amazon reintroduced the same vulnerability at least twice before claiming it was finally fixed last week. We’ll see.
The track record on this exposure is not very good. It was first discovered on 11/15/2013 and supposedly fixed on 09/12/2014.
These vulnerabilities provide the opportunity for criminals to gain access to active eBay and Amazon accounts.
Mid-year 2014 data breaches exposed over 502 million records far exceeding the mid-year point in 2013, the previous all-time record setting year.
(This number does not include the recently reported exposure of 1.2 billion email addresses and user names.)
The best defense is to change the e-mail address associated with the account, delete any stored payment methods and change your password.
Ignore any email messages or phone calls purporting to be from eBay or Amazon and only go to the official sites directly.