How to Hack an Ebay Account

A few months ago, there was a large scale data breach found on the eBay website, this allowed an attacker to hack an Ebay account of potentially millions of users.

The researcher who discovered this was Egyptian born security researcher ‘Yasser H. Ali’ He informed The Hacker News about this vulnerability 4 months ago, which could be used by the cyber criminals in the targeted attacks. At that time, Mr.Yasser secretly demonstrated the vulnerability step-by-step according to The Hacker News team and which they then confirmed it to be working.

The Hacker news said:

“Since it was not addressed by the eBay security team, we kept the technical details of this vulnerability hidden from our readers. But, as we promised to share the technical details of this interesting flaw, once after eBay team patch it.The vulnerability Yasser found could allow you to Reset Password of any eBay user account and that too without any user interaction or dependency. The only thing you required is the login email ID or username of the victim you want to hack.”

To get this attack to work an attacker would need to go to the forgotten password section, the eBay page first generates a random code value as HTML form parameter “reqinput”, which is visible to the attacker as well using Browser’s inspect element tool.

After the user provides his/her email id and presses the submit button, eBay generates a second random code, which is unknown to anybody else except the users themselves, and send the code along with a password reset link to the eBay user with the registered email address.

Once the user clicks on the password reset link provided in the email, user will be redirected to an eBay page with new password set option, where the user only needs to enter a new password twice and has to submit it, in order to reset his eBay account password.

Yasser noticed that instead of using the secret code, the new password HTTP request sends the same respective “reqinput” value that has been generated in the first request, when the user clicked on reset password and which is known to the attacker, as shown

As Proof-of-Concept, the researcher targeted one of the hacker new’s team members’ temporary account with email address info@thehackernews.com. First he made a password reset request at eBay for the targeted email ID and saved the generated ‘reqinput’ value from the inspect element. A video demonstrating this can be found below.