eBay Login Page Reveals First Name For Any Account, Raising Privacy Concerns
Privacy conscious eBay users are sounding the alarm about a seeming security blunder as login screen reveals the first name associated with any account ID with no password needed.
The issue was first brought up in the eBay community, where users discussed the possible implications of this serious design flaw.
sungdn
I have discovered a privacy issue when logging into my eBay account. After entering my username, even without inputting the password, my name becomes visible, like 'Welcome, XXX.' Since usernames and store names are public, this reveals the real name of the store owner to anyone.
And while the flaw only appears to reveal the first name, that is still cause for concern as longtime community member eburtonlab points out - having your first name shown in messages (rather than a generic reference like "user", "member", or customer") has long been one point eBay provides to determine if a message supposedly from them is legitimate.
If fraudsters are able to glean that information without having to actually log in to an account, that could make it easier for them to scam unsuspecting users.
Apparently there is a security flaw -- if you enter the username and proceed to the page where the password can be entered, the first name of the user account does appear there even before the password has been entered -- and not as the result cookies or past history on that particular computer.
First names of registered users are discoverable by entering the username into the sign-in page and proceeding to the password page without entering the password. This is dangerous because eBay relies on providing the user's name as proof that a message is actually coming from eBay, and others should not be able to connect a username to a first name outside of a transaction.
I was able to confirm the flaw myself by using an incognito browser window - it should go without saying that I am not associated in any way with either Adidas or eBay-owned TCGPlayer, do not have any knowledge of their login credentials or employees who would be named on their accounts, and had never before had reason to even attempt putting any user ID but my own into eBay's login screen.
But despite the lack of any connection to either of those IDs, I was able to replicate the flaw - though unlike eBay, I'll give the actual users the courtesy of blurring the full first name.
Users are also discussing the issue on Reddit, with some mentioning the possible GDPR implications of this apparent security lapse.
New bug on ebay that reveals anyone's first name
Just wanted everyone to be made aware of this but there's a bug where you can see the first names of any ebay user by entering their username in the login.
It matters a lot if you don't want your personal info out there and ship out behind a business name. It's a horrible idea if it's a feature.
GDPR cases abound lol :D
It's not clear if this is login process is working as intended or if the apparent flaw is actually a bug - but either way, eBay needs to address the issue ASAP and take steps to notify users about it with a warning to give extra scrutiny to official communications if nothing else.
