Experts savage eBay's hack response; Ellison replaced as Oracle CEO; Aussie cops want more Google user data
Experts have criticised eBay for its response to a cross-site scripting hack designed to steal users’ credentials that has been around since at least February.
The BBC reported last week that attackers created product listing pages on eBay that included malicious JavaScript code that automatically redirected users to a web page set up to harvest users’ credentials.
The page was designed to look like eBay’s welcome page. Users only had to click the original listing to have their browser hijacked, the BBC reported.
The online auction company was made aware of the attack but only removed the listings after a follow-up call from the BBC more than 12 hours later.
“eBay is a large company and it should have a 24/7 response team to deal with this - and this case is unambiguously bad,” the BBC quoted Dr Steven Murdoch from University College London’s Information Security Research Group as saying.
Murdoch identified the hack as a cross-site scripting attack.
The BBC later reported that it had found multiple listings from multiple users exploiting the same vulnerability, and that at least one user had reported the issue to eBay in February.
The BBC said it had found 64 listings from the previous 15 days that appeared to use cross-site scripting to hijack browsers.
SC UK reported Charles Sweeney, CEO of web filtering company Bloxx, as saying: “What is really concerning is that, once again, eBay has demonstrated an unacceptable attitude to their user’s safety being compromised online. That they seemingly had to be chased by the BBC in order to take action is shocking.”
Ellison leaves CEO role
Larry Ellison has left the CEO position at Oracle, to be replaced by two co-CEOs: Oracle staffers Safra Catz and Mark Hurd. Ellison is not leaving the company, however; the board has elected him as executive chairman and appointed him as chief technology officer.
“Safra and Mark will now report to the Oracle Board rather than to me,” Ellison said. “All the other reporting relationships will remain unchanged.”
“While there was some speculation Larry could step down, the timing is a bit of a head-scratcher and the Street will have many questions,” Reuters quoted Daniel Ives, an analyst at FBR Capital Markets, as saying. “Investors have a mixed view of Safra and especially Hurd as co-CEOs, given the missteps we have seen from the company over the past few years.”
“Rarely is this a good idea,” the WSJ quoted Rick Summer, an equity analyst at Morningstar, as saying. “There’s probably going to be little change in the short term, but longer term there’s always a question mark over this approach. In five years’ time, I would be surprised if Safra and Mark are still co-CEOs.”
Aussie authorities want more from Google
Search giant Google has released its latest transparency report figures, revealing that Australian authorities requested more information on Google users in the first half of 2014 than in the same period in 2013.
“Google regularly receives requests from governments and courts around the world to hand over user data. In this report, we disclose the number of requests we receive from each government in six-month periods with certain limitations,” Google explained.
According to the latest figures - covering January to June 2014 - Australian authorities made 752 requests to Google. This represents a 3.6% drop from the six-month period covering the second half of 2013.
But the recent figure is actually a 20.9% leap from the same period in 2013.
Similarly, the number of users/accounts specified in authorities’ requests (844) was down 10.6% from the previous six months, but up 17% year on year.
Google provided authorities with some data in response to 66% of the 752 requests from Australian authorities.
Google noted the “user/accounts” discussed above is not the total number of users that have been the subject of a request, for several reasons.
“For example, the same Gmail account may be specified in several different requests for user information, perhaps once in a subpoena and then later in a search warrant. We add both instances to the user/accounts total even though it’s the same account,” Google said.
Is the Australian tech skills gap a myth?
As Australia navigates this shift towards a skills-based economy, addressing the learning gap...
How 'pre-mortem' analysis can support successful IT deployments
As IT projects become more complex, the adoption of pre-mortem analysis should be a standard...
The key to navigating the data privacy dilemma
Feeding personal and sensitive consumer data into AI models presents a privacy challenge.