eBay

jordangtp · ‎06-21-2018

I'm selling an item with Buy It Now, and I'm accepting offers. I received an offer for the item yesterday and I countered it. Then things got weird.

I received an email from the user who made the offer, sent directly to my email address. It was not sent via the eBay messaging system (I'm a web developer and inspected the email headers — it never touched eBay's servers), I have never published this email address anywhere, and I have never worked with this buyer before (he's a new eBay user).

When I did not respond after an hour, he messaged me again through the actual eBay messaging system, claiming that he was having a hard time contacting me and he was afraid his first message didn't get through. He also apologized and stated that he was 80 years old and struggled using computers. When I didn't respond to that in two and a half hours, I got a phone call from eBay, where a representative lightly scolded me for not having responded to this buyer's inquiry yet (right in the middle of a busy Wednesday workday, and I have a 100% positive feedback rating).

When I asked the rep how this other user could have emailed me directly, she confirmed that shouldn't be possible.

When I messaged the user in question and asked him how he got it, he said "I had a terrible time trying to get an e-mail to you to ask questions. Kept getting notice of not being sent so I called eBay and they sent me several different note codes that I just had to enter that did not look like regular e-mail addresses so one of them apparently got thru to you."

I've been an eBayer since 2006, and I have absolutely no idea what he's talking about.

Is there a mechanism for any other user to access any other user's email address? If you call eBay, will they give out the email address of any user? What is a "note code"?

What is going on here? If a confused 80-year-old can get my email address, what could a more sophisticated user with bad intentions be capable of?

jordangtp · ‎06-21-2018

@fab_finds4u wrote:
Note code. Like a MailTo link. Have you ever sent a message to someone on Craigslist using their message reply system? You get a string of letters and numbers @ blah blah blah craigslist for their email address. You send the email to that address and person in the ad receives the email without you knowing what their email address was. CL was the middle man to pass on the email. Something like that. I think that's what they mean about the note code

Yes, I am familiar with Craigslist's system and I suspected the same. However, I do not believe eBay has any type of system like this: all messages are routed directly through their messaging service. The buyer also said he was given "several different note codes" and noted they "did not look like regular email addresses".

I also inspected the email headers and confirmed the message was sent to my address directly from his, with no eBay proxy in between. I can plainly see his email address @aol.com.

@fab_finds4u wrote:
I seriously don't know what the big deal is about them having your email address.

It's a problem because it represents a security flaw that makes all eBay users more vulnerable to phishing attacks.

Consider, for a moment, what I could do if I knew your email address right now. I have your eBay username and I can see everything that you're selling.

With this information, it would be trivial for me (again, I'm a programmer and web developer) to create a picture-perfect spoof of an eBay notification email, just for you. It would be delivered straight to your address, it would have your username, and it would even have your item's picture and information in it. It might say your item sold, or had a new bid, or whatever. It would look exactly like the email you would receive from eBay, but when you clicked on the link, it would take you to my cloned site that looked exactly like eBay. You'd enter your username and password into my form, and just like that, I have full access to your eBay account (and probably your PayPal account, too).

This is what makes knowing your specific email address associated with your eBay account so powerful. It allows a potential attacker to create perfectly-tailored phishing emails that could trick even the most savvy among us.

Of course, this is all besides the fact that it allows buyers/sellers to bypass the eBay messaging system, nullifying all the protection that provides. Exposing an email address could also raise privacy concerns, potentially revealing a user's real name, location, or place of work. There is a reason most online platforms do not show users' email addresses.