Caution: ebay Messages, Account Information, and User Activity Not Secured With HTTPS

Caution: eBay Messages, Account Information, and User Activity Not Secured With HTTPS
By
Paul Bischoff

ebay customers need to be extra cautious when accessing their account activity, personal information, and messages stored on ebay. Sources recently pointed out to us that many pages on the site, which require user input or contain their personal info, are not HTTPS encrypted.

ebay uses mixed web page content, meaning some pages use encrypted connections while others do not. HTTPS relies on encryption to ensure no one who happens to intercept information traveling between a website and a user can be deciphered. HTTPS-encrypted pages are denoted by a green padlock or “https://” in a web browser’s URL bar. As a standard best practice, all pages that either require user input or contain personal data should be HTTPS-encrypted.

While eBay does use HTTPS on its most critical pages, such as those where payment or address information is entered, it lacks encryption on several less critical, but still sensitive pages.

When customers send and receive messages from sellers, for example, their communications are not sent over a private channel. Not only could a hacker intercept and read messages, they could modify them in what’s known as a “man-in-the-middle” attack. This could lead to fraud or spam being sent from user accounts.

ebay does block certain types of information from being exchanged over its internal messages system. It’s member-to-member contact policy states:

We also don’t allow members to exchange email addresses, phone numbers or other contact information, web addresses, or links within ebay messaging systems.

This is primarily to prevent buyers and sellers from arranging transactions outside of the ebay system. It does help protect user privacy to a degree, but it’s only a half measure compared to the full channel encryption provided by HTTPS.

The entire My ebay dashboard lacks HTTPS encryption. This includes account activity, details, settings, preferences, and more. Much of the personal information on these pages is obfuscated; for example, my email is shown as “p…f@gmail.com” instead of the full email address. But other information is not so hidden.

All secret questions are shown in full, for example, though not their answers. Still, if a hacker knew secret questions in advance, he or she could probably dig around for the answers. Information about friends, pets, and family are probably not so hard to come by. Once that’s done, the hacker can change the user’s password and take over their account.

Account activity logs are also not protected. Everything you buy, sell, and watch can be viewed by hackers.

“ebay has deployed a myriad of proprietary technologies to detect and prevent attempts of account misuse. These technologies run behind the scenes to protect our users’ accounts against any illegitimate access,” the company told Comparitech in a statement. “We are continuously investing at large scale into the security of our site. This includes the further development of our technologies to identify and prevent attempts of account misuse, as well as the expansion of SSL usage on our site, which is a key priority for eBay.”

eBay is hardly the only website to lack HTTPS encryption, but given that account details and messages between buyers and sellers are at risk, the need for HTTPS is clear. We urge eBay to implement HTTPS encryption to any page that requires user input or serves personal information from a customer database as soon as possible.

Learn more about HTTPS in our guide to SSL encryption.

eBay and the GDPR

eBay’s lack of HTTPS encryption on messages and customers’ private information could run afoul of consumer data protection laws, such as the upcoming GDPR.

The General Data Protection Regulation (GDPR), which comes into affect in March 2018 and covers the whole of the European Union, includes a “privacy by design” article that requires privacy settings to be set at a high level by default. In its guidance for organizations that need to comply with the GDPR, the UK Information Commissioner’s Office states “only authorized people can access, alter, disclose, or destroy personal data.”

While the details about mandating HTTPS and other forms of in-transit encryption haven’t been fully fleshed out in the GDPR yet, experts believe encryption of personal data in transit will be a minimum technical measure under the new law.

Use a VPN

If you want to buy and sell on ebay but are concerned about your privacy, we recommend connecting to a VPN before sending messages or accessing your My ebay dashboard. A VPN encrypts all of your device’s internet traffic and routes it through an intermediary server in a location of your choosing. This achieves a similar level of security as HTTPS, plus it masks your IP address for extra privacy.

Most reputable VPNs are subscription services that require you to install an app. Once you’re registered and the software is running, just choose a server and connect. Once the connection is established, hackers snooping the network between your device and the VPN server will not be able to decipher any traffic they intercept. Check our rankings of over 20 VPNs’ privacy and security standards to learn more.

VPNs are especially prudent when connected to unsecure or unfamiliar wifi, such as in a coffee shop, airport, or hotel.


Paul Bischoff is a tech writer covering IT-related subjects since 2012. A digital nomad who depends on the internet to make a living, he’s always seeking out the best value and highest quality products and services on the web. He previously worked as the China editor at Tech in Asia and is a regular contributor at Mashable, as well as several blogs for internet startups around the world.