Ebay sends request on every keypress when estimating your password's strength
-
they are sending a POST request to /PWDStrength for every character a user is typing into the password box. Because this is not bad enough, they are adding the email-address and the username to the POST-body as well.
Ebay's response:
Hello David,
Thanks for reaching out to us, but there are some reasons behind our current solutions but I wouldn’t be able to give you more details on it.
Thanks,
eBay Security ResearchAfter receiving this email, I was wondering if Ebay checks the password in the same way when changing the password through the Ebay customer control panel. Well, yes they do, but not in the same way…
Instead of sending a POST request, they are using a GET request to send every key-press to Ebay’s servers.
He notes that they use HTTPS, but still. why.
-
@bb36e I get that it's inefficient, but is there a security concern here?
-
@blakeyrat one potential issue he notes is the fact that anything you type in that field ends up on Ebay's servers, even if you don't submit the form.
also, if ebay isn't making 100%%% sure that those GET requests aren't logged on their end...well they would have plaintext passwords in their log files.
-
@bb36e said in Ebay sends request on every keypress when estimating your password's strength:
one potential issue he notes is the fact that anything you type in that field ends up on Ebay's servers, even if you don't submit the form.
Why is that an issue?
@bb36e said in Ebay sends request on every keypress when estimating your password's strength:
also, if ebay isn't making 100%%% sure that those GET requests aren't logged on their end...well they would have plaintext passwords in their log files.
Well I don't know about ebay, but our prod log files are already considered PMI (we do health insurance stuff), so that doesn't really matter.
If ebay's like emailing those sites unencrypted to some random person on Slovakia, then yah I guess that could be an issue.
-
@blakeyrat one potential case: suppose I type in a password that I use on other sites, but remember that
hunter2
is a terrible password so i delete it. obviously, the user is an idiot for using a password that they use on other sites and they should get their hands cut off and blah blah blah, but everyone does it. now ebay knows my ultra-secure password without me even clicking the button. i'm sure that to most people, the idea of keyloggers is completely foreign and wouldn't cross their minds.
-
@bb36e ... ok and what do you think ebay can/will do with that knowledge? You stopped short of getting to the part where it's actually a security problem.
-
@blakeyrat they will post embarrassing statuses on my facebook.
what happens if someone who isn't ebay gets access to their data? in the interest of security, i want as little information of mine to be given to other people as possible, which is why i never use the internet.
-
@blakeyrat don't you mean
ZOMG WHEN IS EBAY GOING TO STOP DOSING EBAY'S SERVERS. WTF IS THIS SHIT.
-
@anotherusername said in Ebay sends request on every keypress when estimating your password's strength:
don't you mean
Nice @Lorne-Kates impression, 8/10 would read again.
-
@anotherusername said in Ebay sends request on every keypress when estimating your password's strength:
@blakeyrat don't you mean
ZOMG WHEN IS EBAY GOING TO STOP DOSING EBAY'S SERVERS. WTF IS THIS SHIT.
@FrostCat said in Ebay sends request on every keypress when estimating your password's strength:
Nice @Lorne-Kates impression, 8/10 would read again.
For full points, I would have gone with:
SO HOW IS LIBELOUSLY CALLING EBAY DOS'er OK?
-
@bb36e said in Ebay sends request on every keypress when estimating your password's strength:
what happens if someone who isn't ebay gets access to their data? in the interest of security, i want as little information of mine to be given to other people as possible, which is why i never use the internet.
I'll admit, sending it as GET is dumb with a capital "H", for the logging reasons mentioned above. Sure, they CAN secure those logs. But now they HAVE TO. Because passwords + plaintext.
But as for sending a POST on each keystroke-- meh. Personally I would have just replicated the password rules locally, enforced with javascript, then re-checked serverside. But two theories:
- Anti-bot measure. Might be checking to see if it even emits keystrokes. Or checks rate of typing, or something. Who knows.
- They have a massive blacklist of passwords that are no-nos, like
password
andhunter2
. Rather than sending all of those to the client, they match the password as it's typed.
-
@Lorne-Kates We live in a world where zxcvbn exists, so why not do it on the client?
-
It's their on-behalf-of-government password recording feature.
-
@ben_lubar said in Ebay sends request on every keypress when estimating your password's strength:
We live in a world where zxcvbn exists, so why not do it on the client?
Huh.
-
@Tsaukpaetra said in Ebay sends request on every keypress when estimating your password's strength:
@ben_lubar said in Ebay sends request on every keypress when estimating your password's strength:
We live in a world where zxcvbn exists, so why not do it on the client?
Huh.Sure thing, whatever rocks your boat.
-
@kt_ said in Ebay sends request on every keypress when estimating your password's strength:
Sure thing, whatever rocks
yourthe dictionary attacker's boat.TBH it started with a few keyboard smashes, then I auto-corrected until it made words, and that was the result.
Originally the text was
plsetmbstspdnr
-
@Tsaukpaetra said in Ebay sends request on every keypress when estimating your password's strength:
the dictionary attacker
6 words isn't going to be fun to dictionary attack unless the attacker knows that it's a grammatically correct sentence. That's a 6-letter password in a language with thousands of possible letters.
-
I see one potential, unmentioned security issue with sending a post request for each typed character. Even if it would be encrypted, for someone observing the data I think it's easy to see when requests happen, even if no information about its contents are known.
This means an attacker with the ability to sniff the user's traffic can count the number of requests and the time intervals between these. The number of requests gives away the length of the password (unless you pressed backspace, of course), which could be used in dictionary attacks.
Perhaps the timing could even be used to identify a user, or to give away some information about the passwords: longer intervals could mean a "shift" was required, or awkward combinations to type.Probably not of huge significance, but still not ideal.
PS: Really, these forums giving a message I'm not authenticated because I logged in after visiting the page (in another tab)? WTF!
-
@Evo That's true, a timing attack would be entirely viable, assuming, of course, that you knew the target was changing their password.
Since there's no way to know exactly what URL was requested, that might be a little difficult... but... It might be possibly feasible?
-
@Evo said in Ebay sends request on every keypress when estimating your password's strength:
Even if it would be encrypted, for someone observing the data I think it's easy to see when requests happen, even if no information about its contents are known.
That's still quite a challenging attack, especially with HTTP/1.1 keepalives about, and that's even before looking at the additional complexity of cracking the SSL protection. And for all of that, it effectively leaks less than a bit per character. Yay.
In reality, virtually any attacker would just try to get a keylogger installed instead. Get the password directly. Or they'd find an easier mark.
-
@blakeyrat eBay could steal your eBay password.
-
I agree there are easier targets. And the browser will likely add enough jitter for it not to matter. But timing attacks on manually entered SSH passwords have been shown to "reveal a surprising amount of information" under artificial conditions.
I can see how Ebay has other priorities.
-
@gleemonk said in Ebay sends request on every keypress when estimating your password's strength:
under artificial conditions
Amazing stuff can be found out when the noise floor is artificially low! News at 11.
-
@dkf Superman could totally hear it.
-
@blakeyrat Well yes, but he's too busy trying to make a film that doesn't suck to bother stealing eBay passwords.
-
@bb36e said in Ebay sends request on every keypress when estimating your password's strength:
one potential issue he notes is the fact that anything you type in that field ends up on Ebay's servers, even if you don't submit the form
Do they look at that stuff? Should we start insulting their mothers with passwords?