by Ionut Cernica
On 18 January 2014 I reported to eBay a security problem about an authentication bypass on one of their websites -> community.ebay.co.jp.
To login to community.ebay.co.jp, I was first sent to the eBay website, where you must complete a form with your ebay username and password, after that you are redirected to community.ebay.co. jp with a token.
The generated token is used by community.ebay.co.jp server to extract the username and email address of ebay account that generated it.
If the authentication was for the first time on community.ebay.co.jp, then a request was made for registering a new user.
Registration request had the following important parameters:
password= eBayUsername+salt The salt was the worst password used for 2013 (salt = 123456)
After registration, an authentication process took place:
The salt was a static one for all users. So all you have to do was to find random usernames which could be found by visiting the profile of the userId=1 (admin), the URL is something like: http://community.ebay.co.jp/…../profile?uid=1.
For more details about how I did this you can check out the video I made on youtube: