
Pwning eBay – How I Dumped eBay Japan's Website Source Code - iamnotroot
https://slashcrypto.org/2018/11/28/eBay-source-code-leak/
======
sgentle
So if I understand correctly, this was found by scanning the Alexa top 1M for
exposed .git directories. It's based on research from 2015 where the
authors... scanned the Alexa top 1M for exposed .git directories.

Anyone want to hazard a guess at whether anyone else between 2015 and 2018
also thought to run the same experiment with the same parameters and thus also
downloaded ebay.co.jp's production database passwords and Wordpress admin
credentials?

Of course, that would only be a concern if the master hacker in question
decided eBay Japan's backend data was more valuable than having their name on
a website that says "good job thanks".

~~~
comboy
It's beyond me why they don't reward such guy even if they don't have any
bounty program in place. 10-100K is pennies to them. It just seems more
economic to pay white hats than to deal with effects of black hats actions.

But maybe I'm wrong and in the real world there is not much penalty for
exposing data of thousands or millions of users..

~~~
s_dev
Before GDPR there actually wasn't much penalty for reckless collection and
storage of personal data. Only PR damage had to be considered.

~~~
eiurafhlfie
Bear in mind though that Ebay Japan does not target EU/no/ch customers, which
is a requirement for the "big reach" of the GDPR.

Wikipedia excerpt: "... for all individuals within the European Union (EU) and
the European Economic Area (EEA)."

[https://en.wikipedia.org/wiki/General_Data_Protection_Regula...](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation)

~~~
XCabbage
I've generally read on Hacker News that having EU users is sufficient to put
you within the GDPR's reach, and that for a web service there's therefore
nothing that will protect you besides IP-blocking Europe.

The quote that you provide here that supposedly shows that the GDPR is
irrelevant to Ebay Japan does not in fact contradict that claim.

Do you have an excerpt or other source that does?

~~~
yc-kraln
Amusingly, if a European citizen is not in Europe, they are also covered, so
IP banning Europe will not help you.

~~~
ashelmire
The analysis I’ve seen from lawyers is that it only applies to EU citizens
inside the EU.

------
hkolk
For what it's worth, ebay.co.jp is actually not running on their main
platform. You can see the difference in the HTML code between ebay.com,
ebay.de (both on the main platform) and ebay.co.jp (wordpress based). I
actually don't even know if they are showing eBay listings on that website...

Good find though, and embarrassing failure. Especially since most eBay
properties have penetration testing and automated scanners being run on them

~~~
codemusings
Fun fact: just entering [ebay.co.jp] gives you a "Connection refused". You
explicitly have to enter [www.ebay.co.jp]. I don't know what they're doing
over there.

~~~
giancarlostoro
I had the same issue, I wanted to see the site everyone was talking about, if
you append www. or [https://www](https://www). in front of it, it works.

~~~
richrichardsson
for future reference, prepend is the word you wanted.

"If you prepend www. or [https://www](https://www). it works."

~~~
giancarlostoro
Ah yes, hadn't had my coffee yet. Prefix is the word I usually use more
commonly instead, not sure if there's a huge difference between the two.

~~~
cevn
I think prepend makes more sense as a verb. Prefix is more commonly used as a
noun

------
bufferoverflow
What kind of cashless bug bounty is that?

You got their source code, passwords. That deserves at least $10K.

~~~
kypro
What's the legality of saying "I have your source code, but I won't tell you
how until you give me x".

If you don't plan to do any harm to the company with what you know is there
anything wrong with asking for a reward before you disclose the bug?

~~~
joshschreuder
It's probably still extortion regardless of intent if they say no. How are
they to know you won't do anything malicious?

~~~
beaconstudios
how is that extortion? Extortion needs a threat for non-compliance. Offering
to sell a company information with no consequences for rejection is an
invitation to trade.

~~~
brianwawok
So they respond by reporting you to the CIA/FBI

They show up and take all your electronics to investigate an extortion claim

How far down the rabbit hole do you want to go? You might win in the end. You
might get jail time. You might have a pretty rough 6 months and get nothing.

Being internet tough and going to court tend to be very different things.

~~~
jstanley
If that is what happens, people will start doing it anonymously and asking for
Bitcoins.

~~~
alexmorenodev
I see what you did there.

------
fybe
>No cash reward

Well that just sucks. It was clearly in scope and should have been rewarded.
Clear example of information leakage.

------
philliphaydon
Wow he totally deserves a reward. I can only imagine the impact of that repo
being leaked online by someone with ill intent.

~~~
rvnx
At the same time, it's just the source-code for a WordPress (which is already
public).

~~~
ThinkBeat
um eBay runs on Wordpress?

~~~
dschiffner
No, ebay as the auction site does not. ebay.co.jp does

~~~
pbhjpbhj
That seems kinda strange. What business is ebay.co.jp in then if they don't
run an auction site?

~~~
dschiffner
after translating the site, it appears to be purely informational with the
intent of helping/convincing Japanese businesses to start cross border
eCommerce using ebay.

------
devoply
There isn't much going on here, all that happened here was that eBay Japan
decided to expose their git directory to the world and also decided to store
their wp-config.php file in git... Both not recommended practices. Hilarity
ensued.

------
usr1106
Revealing source code should not be a security problem. Open source is not
less secure than closed source. If enough non-evil eye pairs read it and
responsibly disclose their findings at least.

However, storing database passwords or password hashes in git (at least inside
the same repo) is a major design flaw.

~~~
libdjml
I highly doubt this is a off the shelf Wordpress install. In fact, a standard
WP is not > 1gb of data, which the post describes.

There will be a massive amount of customization, so revealing source code
probably is a security risk. I’m willing to bet a competent code auditor could
find secondary vulns in that code.

~~~
Domenic_S
The resources folder containing images/etc was probably checked into git.
Happens more than you might think...

------
verroq
Did he actually need to download all of their source code to prove the
vulnerability though? It seemed that he could have simply stopped when he
extracted ref HEAD. It is this extra exploitation that gets researchers into
trouble.

~~~
shawnz
Yes, it was necessary to download all the code to prove for example that it
wasn't just unrelated data in that repo. Furthermore a big part of this issue
is that database keys were stored in the repo. Source code of the site alone
wouldn't have been so critical.

------
giancarlostoro
Their site is misconfigured, idk if it's just me but when I go to "ebay.co.jp"
without [https://](https://) or [https://www](https://www). in front of the
domain it just says unable to connect.

~~~
jiveturkey
it's not misconfigured. that's intentional. why? idk.

~~~
giancarlostoro
It is? What in the world lol I figured they forgot to point that part of the
domain to the wrong server or something. Unless it's behind some corporate
firewall?

------
kevinsimper
I had the idea that bug bownty programs was to prevent people from selling the
exploits to the highest bidder?

~~~
Insanity
Yeah, I am not sure if it is in their best interest to not do so.

Other people finding flaws with eBay might be more tempted now to sell it to
the highest bidder rather than expose it to them.

(Assuming their morals are already a bit questionable to begin with)

------
wufufufu
"Pwning" and "dumping source code" aren't the same. I think code should be
written with the assumption that it will be leaked. Getting DB passwords isn't
that meaningful if you don't have access to the DB because of firewalls.

------
amaccuish
Interestingly they used to run on IIS, which is why you saw a lot of
ebayisapi.dll in their urls.

~~~
hkolk
Some more information: [https://www.slideshare.net/RandyShoup/the-ebay-
architecture-...](https://www.slideshare.net/RandyShoup/the-ebay-architecture-
striking-a-balance-between-site-stability-feature-velocity-performance-and-
cost) (slide 10) That ebayisapi.dll was 3.3 million lines of code. Currently
it is only still in the URL for SEO/backwards compatibility reasons, all of
their main frontend code is Java based (V3/V4)

~~~
pbhjpbhj
>Currently it is only still in the URL for SEO/backwards compatibility reasons
//

Can't imagine ebay having any problem moving to new URLs nor getting any
significant boost in referrals from such actions. What other backwards
compatibility is at issue, scraping apps?

~~~
Domenic_S
Panda absolutely wrecked eBay's organic SR multiple times. Getting this 100%
right 100% of the time is critical to eBay. I was on staff (but not working on
this) when Panda 4 happened to them:
[https://www.wordstream.com/blog/ws/2014/05/21/panda-4](https://www.wordstream.com/blog/ws/2014/05/21/panda-4)

------
i_phish_cats
it's beyond me why anyone would risk criminal prosecution for reporting a bug
for free.

------
netsec7
Great write-up, thanks for sharing!

------
tomcooks
Fuck this website and its rewriting of my keyboard shortcuts, my back button
and history.

Fuck this.

------
TekMol
So the author transferred tons of private data of eBay users to his computer?
This seems like a significant crime.

Why didn't eBay alert the FBI or something?

~~~
NewsAware
He downloaded the source code, not the database, so no user data. Still
questionable to some degree, one could demonstrate the problem without a full
download

~~~
TekMol
Why do you think he "only" downloaded the source ? He wrote:

    
    
        I got 1.2 GB of data to go through. The data-set
        contained:
    
        Wordpress configuration files (yes, they use Wordpress)
        including hashed user credentials for the backend login
        
        Database passwords for production databases
    
        Log files
    
        A lot of PHP source code
        (who could have guessed?!)
    
        much more …

~~~
ashelmire
They publicly hosted their .git folder on their web server (which it says in
the blog post). They had those things committed to version control (stupid)
and publicly served it (stupid). Nothing was stolen.

~~~
coldcode
If something is available via HTTP that you didn't want, how is it different
than downloading HTML that you did? The protocol knows nothing about your
intent.

