EBay OMFG



  • So I get today's mail telling me I should change my eBay password, and I DuckDuckGo "ebay password reset scam" as one does, and find out that apparently I've been living under a rock for the last few days and not noticed that somebody recently managed to make off with eBay's entire authorization database. Meh. Shit happens. OK, go change the password.

    What a bunch of fucktards, honestly. No wonder they got pwned.

    First thing to do is attend to my security questions, because it seems that the passwords were the only thing in the stolen database that was encrypted: yes, if you have an eBay account, some black hat now knows your mailing address and date of birth (well, in my case they know George W Bush's date of birth, but whatevs). So I obviously can't admit to having attended 1XDYGQlrvUs3bqWm5S3v school any more, and will need to change that to TlB2mcywhspy1ZrHrJQV. No Can Do! Onoz, you've used the VERY SAME QUESTION BEFORE! OK, fuck it, my first pet was called 3nMKhNKyfUnZsSifH46Y. Fine. Onward and downward.

    Next is my email address. eBay still has my old one. Might as well fix that while I'm in here.

    Obviously my ebay username is flabdablet, and my old email address is flabdablet@gmail.com, so I try to change that to flabdablet@my.new.email.provider. No Can Do (but only after making me enter it twice and then pass a captcha) - your email address can't be the same as your account name! Dumbfucks. OK, change that to flabdablet+ebay@my.new.provider. That works. Confirmation email, bada boom bada bing, and there it is in my profile: the email address they have on file for me is now "flabdablet ebay@my.new.provider". URL escaping? Base64 encoding? Mysteries to these fucking clowns.

    So I'm finally up to changing the password, and they want a nice long one with at least two each of lowercase letters, uppercase letters, digits and special characters. OK, no problem; KeePass can enforce those requirements. So I paste in my new 20-character password, and WTF? I can't have a password that contains any of <>[]]// oh for FUCK's sake have these people learned NOTHING?

    And they run PayPal. Who had my credit card details until about five minutes ago.



  • @flabdablet said:

    And they run PayPal. Who had my credit card details until about five minutes ago.
     

    PayPal may forget a lot of things when it is convenient for them, but they will never forget a customer's credit card or bank account information.  The only way to safeky remove information from an account is to cancel the card, close any accounts tied to it, then take off and nuke the site from orbit.

     



  • 'sOK, it expires in a couple months anyway. I'll risk it.



  • Can some genius explain why the fuck does some characters aren't allowed on passwords? My bet is on a broken regex.

    The only password validation that should be enforced is min-length, anything else will simply bring pain to your users and if a person is so stupid to use "123456" as their password and their account is hacked, there's no liability. And if your site is well made, a hacker having access to one user's account shouldn't be a big deal.

    Why do you want me to use lowercase letters, uppercase letters, digits and special characters but I can't use a passphrase (hear hear Microsoft!)



  • Usually this is a giveaway that the site doesn't actually hash passwords, but passes them around in plaintext between a few boxes before (maybe) encrypting them. The specific characters that eBay prohibits could potentially fuck up embedding a password containing them inside XML and maybe JSON.


  • Discourse touched me in a no-no place

    @flabdablet said:

    Usually this is a giveaway that the site doesn't actually hash passwords, but passes them around in plaintext between a few boxes before (maybe) encrypting them.
    <thousand yard stare>

    Why would anyone even want to hold that sort of thing? It's just asking for trouble. Passing the encoded hash around would be safer and much easier.@flabdablet said:

    The specific characters that eBay prohibits could potentially fuck up embedding a password containing them inside XML and maybe JSON.
    Should be OK in JSON, and XML has quoting rules that are trivial to get systematically right. The fuckers are just inserting them as plain text in templates…



  • @dkf said:

    XML has quoting rules that are trivial to get systematically right
    Base64 encoding a user generated string before you do anything else with it is also trivial to get right, and yet we have huge corporations in 2014 trying to stop Bobby Tables and his Awful Password from bringing them to their pinstriped knees... it's pathetic, is what it is.



  • @flabdablet said:

    URL escaping? Base64 encoding? Mysteries to these fucking clowns.
     

    O, come on man, you're being too harsh. It's not as if they are this huge and successful site that's had enough time and money to hire a few real programmers.

     



  • I just tried to reset my password. I heard about everything on the news but just couldn't be bothered to do it before. Don't really use ebay that often.

    Click the big button on the home page, enter my user id. Oh, they support sending a text? Lets try that. Er, no, it doesn't work. It asks me to choose a phone number when the only one they have is already selected. Try clicking it again makes no difference. 

    Ok, lets do an email reset. Click the button, wow, that one actually works. Get the email within 10 seconds, click the link "The link you clicked on has expired, please try again". 

    Oh FFS! I give up. 

     


  • BINNED

    Read about it in the news last Wednesday (IIRC) that eBay has been hacked and users should change their passwords.
    A day later, the news said eBay is preparing to send emails to users. And I'm thinking "why haven't they done this by now already".

    Now it's Monday and I still haven't got that mail!



  • @ubersoldat said:

    Can some genius explain why the fuck does some characters aren't allowed on passwords?

    On the plus side, it tends to be difficult to type <CR><LF> in password fields, it always send the form :)



  • eBay does everything in their power to feel like a Mom and Pop operation, with Mom handling the money, Pop doing the backend code, and the web code done by someone else that also acts as the janitor.


  • BINNED

    @flabdablet said:

    So I'm finally up to changing the password, and they want a nice long one with at least two each of lowercase letters, uppercase letters, digits and special characters. OK, no problem; KeePass can enforce those requirements. So I paste in my new 20-character password, and WTF? I can't have a password that contains any of <>[]// oh for FUCK's sake have these people learned NOTHING?

    Do you use KeePass on it's own and c/p passwords or are you using some kind of browser plugin? I'm asking because I can't find an option to change generator rules anywhere in the Chrome extension so I have to resort to pasting stuff around (actually, I had to paste it to a text editor first, no idea if it's KeePass messing with the clipboard or the Chrome extension, but it wouldn't let me paste it directly into the input box).



  • @Onyx said:

    Do you use KeePass on it's own and c/p passwords or are you using some kind of browser plugin?

    I use KeePass on its own but I don't usually use copy and paste because that's more cumbersome than it needs to be.

    My usual KeePass workflow:

    • Bring the KeePass window to the front.
    • Find the KeePass entry for the site I want to log into, and double-click its URL field. I do this to make sure I'm connecting to the real site and not being phished; absent DNS poisoning or malicious proxy servers, this is safe.
    • Do any additional navigation required to expose the site's login form. Most sites have a login URL I can keep in KeePass, making this step unnecessary.
    • Click in the Username box, or triple-click in it if there's something already there. Some sites are polite enough to put keyboard focus into the Username box as soon as their login page is opened, making this step unnecessary too.
    • Click the KeePass window button in the task bar to bring KeePass back to the front, then press Ctrl-V without looking. Because I started by double-clicking a URL, the correct entry is already selected in KeePass and it auto-types the correct credentials. I've found this rather more reliable than using KeePass's global hotkey feature and it's only one extra click.

    I like this better than needing to install extensions into every browser I touch.



  • @flabdablet said:

    So I'm finally up to changing the password, and they want a nice long one with at least two each of lowercase letters, uppercase letters, digits and special characters. OK, no problem; KeePass can enforce those requirements. So I paste in my new 20-character password, and WTF? I can't have a password that contains any of <>[]// oh for FUCK's sake have these people learned NOTHING?

    Wait - you were able to paste into the password field? When I tried it, it wouldn't accept the paste. So I had to type in my new password.

    I did so, and it told me it was too weak, even though I'd followed their rules ("at least 20 characters, with at least two of lowercase, uppercase, etc"). Huh? What the heck, maybe they've got some kind of heuristic that figures out strength beyond their rules.

    Generate another one, and try again. Same result. WTF?

    Generate another one, try again. Same result.

    OK, something is hinky here. Try entering this one again, watching very carefully ...

    AHAH! Even though the instructions say "[b]at least[/b] 20 characters", they really mean "[b]at most[/b] 20 characters", and they are enforcing that silently in the password entry field. My generated passwords happen to be more than 20 characters, with the characters they consider to be strong all at the end. Since they're truncating at the first 20, my passwords are all actually weak.

    Give me a fucking break!


  • BINNED

    @RobFreundlich said:

    Wait - you were able to paste into the password field? When I tried it, it wouldn't accept the paste. So I had to type in my new password.

    I don't know what you were pasting it from, but it wouldn't let me paste directly from KeePass, had to paste it into gedit first, than copy it from gedit to Chrome. I assumed it's some security feature in KeePass but at this point, who knows.



  •  @Onyx said:

    @RobFreundlich said:
    Wait - you were able to paste into the password field? When I tried it, it wouldn't accept the paste. So I had to type in my new password.

    I don't know what you were pasting it from, but it wouldn't let me paste directly from KeePass, had to paste it into gedit first, than copy it from gedit to Chrome. I assumed it's some security feature in KeePass but at this point, who knows.

     

    YOu need paste in under 12 seconds of time from KeePass. This is the future I have built for you. 

     



  • @Onyx said:

    @RobFreundlich said:
    Wait - you were able to paste into the password field? When I tried it, it wouldn't accept the paste. So I had to type in my new password.

    I don't know what you were pasting it from, but it wouldn't let me paste directly from KeePass, had to paste it into gedit first, than copy it from gedit to Chrome. I assumed it's some security feature in KeePass but at this point, who knows.

    I copied from a generator into notepad, then tried to paste from notepad into Chrome. Maybe the paste failed because it was too long. But like you said, who knows. In any case, TRWTF (or rather, ORWTFAM) is silently chopping the password at 20 chars.



  • @flabdablet said:

    So I get today's mail telling me I should change my eBay password, and I DuckDuckGo "ebay password reset scam" as one does, and find out that apparently I've been living under a rock for the last few days and not noticed that somebody recently managed to make off with eBay's entire authorization database. Meh. Shit happens. OK, go change the password.

    Having not been living under a rock, yeah, it's real. I honestly forgot to go change my password, though, since it definitely won't be one of the low-hanging fruits when somebody starts trying to reverse all of the password hashes or crack the encryption or whatever they used.

    @flabdablet said:
    First thing to do is attend to my security questions, because it seems that the passwords were the only thing in the stolen database that was encrypted: yes, if you have an eBay account, some black hat now knows your mailing address and date of birth (well, in my case they know George W Bush's date of birth, but whatevs). So I obviously can't admit to having attended 1XDYGQlrvUs3bqWm5S3v school any more, and will need to change that to TlB2mcywhspy1ZrHrJQV. No Can Do! Onoz, you've used the VERY SAME QUESTION BEFORE! OK, fuck it, my first pet was called 3nMKhNKyfUnZsSifH46Y. Fine.

    ...I didn't have to touch my security questions. That's probably just a "hey flabdablet hasn't logged in in over ten years, he probably doesn't even remember what his favourite barista's dog's middle name was anymore so it's time to update those" that you triggered.@flabdablet said:

    Next is my email address. eBay still has my old one. Might as well fix that while I'm in here.

    Anytime I go through something so drastic as an e-mail address change (particularly when the old address is going to, you know, NOT WORK ANYMORE... and this happened to me a few weeks ago, so I'm not just what-iffing) I go through my password vault, log into everything that matters, and update the e-mail address. That's just plain sense.

    @flabdablet said:
    Obviously my ebay username is flabdablet, and my old email address is flabdablet@gmail.com, so I try to change that to flabdablet@my.new.email.provider. No Can Do (but only after making me enter it twice and then pass a captcha) - your email address can't be the same as your account name!

    Yeah, I guess that could be a problem to people who use the same username everywhere. Stop doing that.

    @flabdablet said:
    So I'm finally up to changing the password, and they want a nice long one with at least two each of lowercase letters, uppercase letters, digits and special characters. OK, no problem; KeePass can enforce those requirements. So I paste in my new 20-character password, and WTF? I can't have a password that contains any of <>[]]//

    Well, they DID give you a list of special characters that you're allowed to use, and <>[]]// weren't on the list... the list was (!@#$%^*-_+=). Although neither the "permitted" nor the "denied" lists contain characters such as .,()"{}'?:; which are probably allowed (I'm assuming they fucked up the escaping somehow and got // on the deny list instead of /)

    @flabdablet said:
    And they run PayPal. Who had my credit card details until about five minutes ago.

    If you log into PayPal as often as you log into Ebay, that card probably expired in about 1999, so it's not like that mattered.

    2 points for the fact that <>[]]// aren't permitted in your password. That one's a slam dunk. The other stuff, not really so much.



  • @anotherusername said:

    ...I didn't have to touch my security questions.
    I wasn't asked to touch mine either. After reading that the stolen passwords were encrypted but the associated date of birth and address etc. were not, with security questions and answers just quietly not mentioned, and given the fact that they didn't disclose the breach until after people started noticing it, it seemed like the prudent thing to do.

    @anotherusername said:

    I guess that could be a problem to people who use the same username everywhere. Stop doing that.
    Why? Usernames are public, not secret, and I like mine.



  • @anotherusername said:

    particularly when the old address is going to, you know, NOT WORK ANYMORE...

    I'm still in the cutover phase. I plan to leave the old one alive until I haven't seen anything but spam forwarded from it for a year.

    Also, the WTF here as far as I'm concerned is that they let me set up an account called USERNAME with an email address of USERNAME@old.provider, but when I try to change that to USERNAME@new.provider they get all no-can-do. What possible rationale could exist for that?


  • BINNED

    Is this the time to point out that I'm still worried about the use of the word "encrypted"?



  • @Onyx said:

    I'm still worried about the use of the word "encrypted"?
    It's WTF all the way down.



  • @flabdablet said:

    @anotherusername said:
    I guess that could be a problem to people who use the same username everywhere. Stop doing that.
    Why? Usernames are public, not secret, and I like mine.

    Usernames are not secret, but the correct correlation of usernames to users is. All it takes is one really dedicated asshat to make you wish that you didn't go by the same name everywhere you went. Especially if you'd like to keep your real identity more or less secret, although I guess that doesn't apply in your case.



  • Meh. I don't live in a police state, and I spend very little and block all advertising so there's no point in trying to get to me for marketing purposes, so I can't really see much use in trying to make a secret of who I am. I have yet to attract the attentions of any dedicated private obsessives, who would in any case be able to track me down through the phone book.

    I can see the value in playing the online privacy game as a game, though I'm pretty sure the only genuinely reliable way to stay private online is not to go online.

    And of course this whole thing could be a complete tissue of lies. For all anybody else knows, the flabdablet with a long and consistent history of using that name for everything everywhere could just be steganographic cover for the nefarious activities of a black hat who only ever communicates over Tor, using fresh instances of mainstream browsers on disposable VMs running mainstream operating systems hosted on cloud servers paid for through a chain of disposable prepaid credit cards acquired via disposable usernames. If I were going to do anything underhanded, that would certainly be my starting point.



  • @flabdablet said:

    Meh. I don't live in a police state

    I thought you lived in Australia?



  • @anotherusername said:

    @flabdablet said:
    Meh. I don't live in a police state

    I thought you lived in Australia?

    He said police state not prison state or everything is trying to kill you state.


  • ♿ (Parody)

    @serguey123 said:

    He said police state not prison state or everything is trying to kill you state.

    I'd go along with Australia not being a police or prison state, but aren't, like, most of the animals there poisonous?


  • Discourse touched me in a no-no place

    @boomzilla said:

    but aren't, like, most of the animals there poisonous?
    The salties aren't poisonous.


  • ♿ (Parody)

    @dkf said:

    @boomzilla said:
    but aren't, like, most of the animals there poisonous?
    The salties aren't poisonous.

    Exactly.



  •  And the yabbies.



  • Female platypuses aren't poisonous either.



  • @boomzilla said:

    I'd go along with Australia not being a police or prison state, but aren't, like, most of the animals there poisonous?
    Shit, even the snakes in Oz aren't poisonous.



  • @OzPeter said:

    Shit, even the snakes in Oz aren't poisonous.
    Except the hoop snakes. And don't even think about bushwalking without an umbrella.



  •  hehehe



  • @boomzilla said:

    @serguey123 said:
    He said police state not prison state or everything is trying to kill you state.

    [...] but aren't, like, most of the animals there poisonous?

    Well done, that's the fucking joke... Well, he's also insinuating Australia is a prison state. Because of the criminals, remember.



  •  I finally got the email from eBay this morning.  Changed my password like four days ago (first time I'd been on the site in four years, apparently).



  • @boomzilla said:

    @serguey123 said:
    He said police state not prison state or everything is trying to kill you state.

    I'd go along with Australia not being a police or prison state, but aren't, like, most of the animals there poisonous?

    <Pedantic Dickweed>The poisonous ones aren't such a worry it's the venomous ones you have to watch out for</Pedantic Dickweed>



  •  Changed my password the other day as well....pretty nice huh!


Log in to reply