eBay

sungdn · ‎09-22-2024

I have discovered a privacy issue when logging into my eBay account. After entering my username, even without inputting the password, my name becomes visible, like 'Welcome, XXX.' Since usernames and store names are public, this reveals the real name of the store owner to anyone. Using this method, I learned that the owner of LoopMobileAU is Walter, jogr_580404's owner is Antony, and auzlandugg's owner is Xinhua. I believe this is a significant privacy concern.

stainlessenginecovers · ‎09-22-2024

Are these 'stores/people' someone you have purchased from? But, knowing who owns/runs a business is NOT a privacy thing; it is actually just the opposite and a law was passed to now NOT allow people to 'hide' behind xyz when doing business online.

ebooksdiva · ‎09-22-2024

If those are real sellers names then aren't you providing a public forum with those eBay members names and violating their privacy?
And if what you say is true then you would know what my name is right?

eburtonlab · ‎09-22-2024

Are those users folks that have signed in to their accounts on the same computer you are using to see those welcome messages?

Your first name should only be visible to you, or to someone using the exact same device and browser you have used to sign in to eBay without erasing cookies in that browser.

If you try that using a different browser, or a private or incognito browser window, or another device that that user has not signed into before, you should not see that welcome message displayed until you have signed in completely including using the correct password for that account.

eburtonlab · ‎09-22-2024

@sungdn is correct -- there is a flaw. I stand corrected. I am able to recreate the issue with random usernames.

Apparently there is a security flaw -- if you enter the username and proceed to the page where the password can be entered, the first name of the user account does appear there even before the password has been entered -- and not as the result cookies or past history on that particular computer.

devon@ebay

First names of registered users are discoverable by entering the username into the sign-in page and proceeding to the password page without entering the password. This is dangerous because eBay relies on providing the user's name as proof that a message is actually coming from eBay, and others should not be able to connect a username to a first name outside of a transaction.

refreshingdrink · ‎09-22-2024

Ebay needs to fix this right now. devon@ebay kyle@ebay elizabeth@ebay

refreshingdrink · ‎09-24-2024

devon@ebay kyle@ebay elizabeth@ebay

Bumping this issue

devon@ebay · ‎09-27-2024

@sungdn wrote:

I have discovered a privacy issue when logging into my eBay account. After entering my username, even without inputting the password, my name becomes visible, like 'Welcome, XXX.' Since usernames and store names are public, this reveals the real name of the store owner to anyone. Using this method, I learned that the owner of LoopMobileAU is Walter, jogr_580404's owner is Antony, and auzlandugg's owner is Xinhua. I believe this is a significant privacy concern.

Hey @sungdn and @refreshingdrink ! Thank you for sharing this and the Product team wanted to share that they are rolling out a fix that should be completed by the end of the day.

Devon,