So if I understand correctly, this was found by scanning the Alexa top 1M for exposed .git directories. It's based on research from 2015 where the authors... scanned the Alexa top 1M for exposed .git directories.
Anyone want to hazard a guess at whether anyone else between 2015 and 2018 also thought to run the same experiment with the same parameters and thus also downloaded ebay.co.jp's production database passwords and Wordpress admin credentials?
Of course, that would only be a concern if the master hacker in question decided eBay Japan's backend data was more valuable than having their name on a website that says "good job thanks".
It's beyond me why they don't reward such guy even if they don't have any bounty program in place. 10-100K is pennies to them. It just seems more economic to pay white hats than to deal with effects of black hats actions.
But maybe I'm wrong and in the real world there is not much penalty for exposing data of thousands or millions of users..
I've generally read on Hacker News that having EU users is sufficient to put you within the GDPR's reach, and that for a web service there's therefore nothing that will protect you besides IP-blocking Europe.
The quote that you provide here that supposedly shows that the GDPR is irrelevant to Ebay Japan does not in fact contradict that claim.
> I've generally read on Hacker News that having EU users is sufficient to put you within the GDPR's reach, and that for a web service there's therefore nothing that will protect you besides IP-blocking Europe.
This is fairly ridiculous, if you're have no European presence, you're free to ignore the GDPR. The EU has no legal jurisdiction over you, the only recourse would be for the EU to block your site and that's just not going to happen - no one wants to see a Great Firewall of the EU, can you imagine the backlash?
A prerequisite for "purchasing" (renting) a .eu TLD is that you're a European Union citizen. Technically, it's against the ToS to rent one to anyone else. If they're not aiming for the market, I think they also can't get .eu domain.
That being said, it sure will be fun when all the British people/corporations won't be able to renew their .eu domains no more!
> and that for a web service there's therefore nothing that will protect you besides IP-blocking Europe.
Which is bizarre reasoning: geo-IP databases are not foolproof, and thus you will get legitimate EU traffic from EU ISPs regardless. Further, by this reasoning, what's to say an EU customer using a VPN to exit in the US is somehow excluded from GDPR?
If someone tells you “I have no interest in serving you, because I do not wish to follow your rules”, and you disguise yourself as someone else and ask again, how could you possibly expect your rules to be suddenly be followed? It would be absurd. At that point, they would have follow all rules across all countries simultaneously, because who knows what country any given person is really from? Ask and they’ll lie, and you’ll still be on the hook!
At some point the responsibility has to fall on the user instead of the business, and the I think actively skirting the rules is sufficient and a nice, clear line, to fault the user.
It is likely though that, if GDPR proves effective, other countries will soon follow suit and implement a similar set of data protection regulations.
Perhaps by then companies around the world will be forced into paying more attention to these matters, and a system of reward for white hats may become the norm.
The fact that the issue remains unaddressed just tells us the organization (as in, the management chain) is fundamentally broken from a tech point of view.
From there, it is not surprising that they would not bother to compensate white hat hackers, because we have established that the organization is fundamentally broken.
We banned you for using yet another account to break HN's guidelines, as we've done before and as you've done before. We couldn't care less which establishment you criticize.
A common trollish trick is to use explicitly female usernames, so when we come down hard on them, it looks like we're abusing women. Another common troll trick is to make self-serving proclamations about why they were banned.
And now there's confirmation that their bug bounties come with significant caveats that make payout unlikely even for large vulnerabilities. Any future vulnerabilities are now less likely to be reported.
I've been running the same scan since mid 2017 and it has netted me a substantial amount of bounties. There's 100s of people that run internet wide scans of exposed git. And of course I also report to companies that don't have bounties (anonymously). I actually found a different eBay domain with the same issue and they added me to their security hall of fame.
The main problem is that new developers come and go, so does the exposed gits.
I used to have a collection of downloaded user databases in an encrypted partition in my iPod back when I was in high school.
Some were actually pretty high profile sites (probably top 100 at the time) but I was worried they'd come after me if I reported the vulnerabilities (that was the standard response before bounty programs and such) so I just dumped it and moved on.
I'm sure I'm not the only one that just did it for sport.
For what it's worth, ebay.co.jp is actually not running on their main platform. You can see the difference in the HTML code between ebay.com, ebay.de (both on the main platform) and ebay.co.jp (wordpress based). I actually don't even know if they are showing eBay listings on that website...
Good find though, and embarrassing failure. Especially since most eBay properties have penetration testing and automated scanners being run on them
Fun fact: just entering [ebay.co.jp] gives you a "Connection refused". You explicitly have to enter [www.ebay.co.jp]. I don't know what they're doing over there.
Yahoo Japan had access to Yahoo US's source... auctions in Japan was based on the us auctions, but it continued to run after the us auctions shut down. (I don't know how it evolved after that)
Interesting! perhaps this is why there was no reward offered - there's no real customer data being threatened? Just the passwords/source to their wordpress site?
how is that extortion? Extortion needs a threat for non-compliance. Offering to sell a company information with no consequences for rejection is an invitation to trade.
They show up and take all your electronics to investigate an extortion claim
How far down the rabbit hole do you want to go? You might win in the end. You might get jail time. You might have a pretty rough 6 months and get nothing.
Being internet tough and going to court tend to be very different things.
what bizarre reading of my comment are you responding to? I'm saying that offering to sell someone something is objectively not extortion. That doesn't say anything about whether the justice system will interpret it as such, or whether it would be a good idea to try to sell the source to eBay.
"objectively not extortion" doesn't matter, and is completely irrelevant to the conversation being had here. The point is that if you tried doing this thing that is or isn't "objectively extortion", you're going to risk dealing with what the comment outlined above, and that is the real penalty for trying something like this.
The larger point, and the nugget you probably should come away with, is that there's a prohibitively high cost for doing what's being discussed. There most definitely is plenty to worry about here.
yeah, obviously you shouldn't try to do what's being discussed. That goes without saying. Did you read the comment I was responding to? I feel like I'm talking to myself here.
By that definition it is not stealing to take something that is unguarded, isn't locked or surrounded by a fence from a neighbors lawn, or a department store.
No, it's not. It's more like if Coca-cola accidentally published their recipe in the newspaper instead of an ad - that's their blunder and not corporate espionage.
Tell you what, call up a local law enforcement officer and ask for $10,000. When they say no, tell them you know where they live. See if that is considered a threat by the courts.
Well yeah obviously that's going to be considered a threat. But is that what we're talking about here? No. That would be the equivalent of contacting eBay and asking for money, then implying you "wouldn't want the source to fall into the wrong hands".
I didn't think we were contemplating selling the source back, rather selling details of how a malicious person could easily acquire the source - as one may have done as a slightly-off-white hat hacker.
It's not theft either; and we could have immediately destroyed all our data except some excerpt as proof the hack is available so we would not be handling any infringing data (despite the initial act potentially being infringing, depending on jurisdiction).
This is akin to "I went past your property and saw the door open, stepped inside and took a picture as proof; do you want to see the picture?".
Yes you're right, my description of the scenario wasn't quite accurate. Personally I don't think this scenario is unethical (beyond your responsibility to disclose potentially being to the company's users, not the company itself, meaning withholding the vulnerability might be ethically dubious) but as I understand (IANAL) it is illegal. But the law doesn't always map well onto ethics.
What if you work at a cyber security company could you not send an email saying you found a couple of security issues on their site and offer your services? Where is the line here?
If I find a security issue with someones site why do I have any obligation to tell them?
I think that sadly, legally, you already broke the law doing something outside "intended use" (or whatever it's called) when you found the security issue. Unless they paid you to do the research.
This is something I don't understand. How can it be illegal to expose vulnerability without telling someone the real issue in the digital world, while having no responsibility if let's say you call a shop owner's attention that the patio's parasol might be causing injury in the physical world?
It's more like telling a shop owner that you were able to open their doors when the shop was closed by simply getting the key from under the doormat. It actually seems tricky to design law sensibly around cases like those.
These analogies never work (and I just used one elsewhere on this story too) - one could equally equate it to arriving at a business, opening the door without seeing the "closed" sign, going in and taking a photo, realising no-one is there, and leaving. Then you call the owner and say "I noticed you have a security problem". The problem is their employee forgot to lock the door, they'd indicated you shouldn't go in (posted the closed sign) and so strictly speaking you were trespassing [unlawfully entering, whatever].
Punishing the person for telling you you have a problem seems a bit silly, even if the photo they took included copyrighted material (maybe an architecture model on the counter).
after translating the site, it appears to be purely informational with the intent of helping/convincing Japanese businesses to start cross border eCommerce using ebay.
There’s IBB; the internet Bug Bounty. But it’s for widespread open source software. Typically FOSS that isn’t well funded yet is critical to massive parts of the internet. Popular libraries, email & DNS infrastructure etc.
Ebay being a private company with boatloads of money is definitely not a part of that.
Its more for things that affect an OS or browser I thought but I could be misremembering, project zero or whatever is relevant to their efforts in securing software.
There isn't much going on here, all that happened here was that eBay Japan decided to expose their git directory to the world and also decided to store their wp-config.php file in git... Both not recommended practices. Hilarity ensued.
Revealing source code should not be a security problem. Open source is not less secure than closed source. If enough non-evil eye pairs read it and responsibly disclose their findings at least.
However, storing database passwords or password hashes in git (at least inside the same repo) is a major design flaw.
I highly doubt this is a off the shelf Wordpress install. In fact, a standard WP is not > 1gb of data, which the post describes.
There will be a massive amount of customization, so revealing source code probably is a security risk. I’m willing to bet a competent code auditor could find secondary vulns in that code.
Did he actually need to download all of their source code to prove the vulnerability though? It seemed that he could have simply stopped when he extracted ref HEAD. It is this extra exploitation that gets researchers into trouble.
Yes, it was necessary to download all the code to prove for example that it wasn't just unrelated data in that repo. Furthermore a big part of this issue is that database keys were stored in the repo. Source code of the site alone wouldn't have been so critical.
Their site is misconfigured, idk if it's just me but when I go to "ebay.co.jp" without https:// or https://www. in front of the domain it just says unable to connect.
It is? What in the world lol I figured they forgot to point that part of the domain to the wrong server or something. Unless it's behind some corporate firewall?
"Pwning" and "dumping source code" aren't the same. I think code should be written with the assumption that it will be leaked. Getting DB passwords isn't that meaningful if you don't have access to the DB because of firewalls.
Some more information: https://www.slideshare.net/RandyShoup/the-ebay-architecture-... (slide 10)
That ebayisapi.dll was 3.3 million lines of code. Currently it is only still in the URL for SEO/backwards compatibility reasons, all of their main frontend code is Java based (V3/V4)
Thanks for sharing that! It might be from 2011, but it is still very informative.
I am surprised EbayISAPI.dll was C++ - I always assumed it was a mess of .NET. It makes sense considering how old Ebay is though.
I see over and over again the 'no database would scale big enough, so we had to build our own'. If only opensource databases got spanner-style auto-sharding and auto-loadbalancing sooner, millions of engineer-hours could have been better spent!
>Currently it is only still in the URL for SEO/backwards compatibility reasons //
Can't imagine ebay having any problem moving to new URLs nor getting any significant boost in referrals from such actions. What other backwards compatibility is at issue, scraping apps?
Panda absolutely wrecked eBay's organic SR multiple times. Getting this 100% right 100% of the time is critical to eBay. I was on staff (but not working on this) when Panda 4 happened to them: https://www.wordstream.com/blog/ws/2014/05/21/panda-4
He downloaded the source code, not the database, so no user data.
Still questionable to some degree, one could demonstrate the problem without a full download
Why do you think he "only" downloaded the source ? He wrote:
I got 1.2 GB of data to go through. The data-set
contained:
Wordpress configuration files (yes, they use Wordpress)
including hashed user credentials for the backend login
Database passwords for production databases
Log files
A lot of PHP source code
(who could have guessed?!)
much more …
They publicly hosted their .git folder on their web server (which it says in the blog post). They had those things committed to version control (stupid) and publicly served it (stupid). Nothing was stolen.
If something is available via HTTP that you didn't want, how is it different than downloading HTML that you did? The protocol knows nothing about your intent.
Anyone want to hazard a guess at whether anyone else between 2015 and 2018 also thought to run the same experiment with the same parameters and thus also downloaded ebay.co.jp's production database passwords and Wordpress admin credentials?
Of course, that would only be a concern if the master hacker in question decided eBay Japan's backend data was more valuable than having their name on a website that says "good job thanks".