Thursday, April 19, 2007

Ebay site problem

Ebay has a page where you can enter a whole bunch of information if you forget your password.

There is a whole host of sensitive information you have to enter on that page to get your password.

The page is only accessible via http.

Oh but they probably submit it via https you say.

So what. Let's say their DNS gets hacked someone and people set up a fake page at that address on the servers that are being rerouted to when you think you're at ebay. The only way to know you are really at ebay is hitting the page via https because the certificate applies to a specific server. Without that you can be rerouted and when you hit submit on this bogus link you just gave a hacker your secret question/answer (which you probably used in multiple places, right?), your birth date, place of birth, etc. etc.