Online auction powerhouse eBay Inc. closed a security hole in a password-maintenance feature late Tuesday that could have allowed attackers to take over a user's account and commit fraud.
The vulnerability existed in the feature that allowed registered eBay users to change the passwords that they use to log into the site, according to Kevin Pursglove, senior director of communications at the San Jose, California, company. Though the "change your password" feature was taken offline around 5 p.m. Pacific time (1 a.m. GMT) Tuesday due to the security hole, the feature has since been fixed and put back online, he said.
The hole would have allowed an attacker who knew the publicly available name that an eBay member bids under, to change that user's password, thereby taking over the account, Pursglove said. EBay was first notified that the attack was possible by a user on March 27 or 28, Pursglove said. Users who attempted to change their passwords after the service was disabled got error messages, he added.
Although the potential existed for attackers to have access to accounts, no credit card or personal information would have been available to them, because that data is stored on separate servers and behind separate firewalls, Pursglove said.
Ebay is "in the process right now of reviewing all the password changes that have come in to us recently," Pursglove said, adding that the company has not yet received any user reports of fraud or account hijacking related to the vulnerability.
The company is "still in the process of reviewing" how the hole occurred, he said.
EBay users have been hit with other account troubles recently. Some users have reported having their accounts hijacked in recent months, though Pursglove said those incidents are unrelated to Tuesday's security hole.