SSD Advisory – eBay Arbitrary Invoice Disclosure

Vulnerability Description
A vulnerability in the way invoices are handled by eBay allows users that sell items on eBay to view other’s reseller’s invoices. Though access to the invoice is somewhat arbitrary, there is no easy way to find a specific invoice of a specific seller, it is possible to harvest a large amount of invoice and gather sensitive information from them. This information includes (though not in all invoices):

  • Full customer address (including full name, street, zip, city and country)
  • Private account IDs (useable for phone identification with eBay hotline service)
  • Public account ID
  • Access to current and past listings
  • Customer´s subscription plan
  • Customer´s personal IDs, if applicable

 
A malicious attacker could exploit this information leakage to:
 

  • Gain control over the customer´s account
  • Using it as an information source for an identity theft
  • To trick the customer with highly detailed phishing mails into providing even more data to the attacker

Vendor Response
The vulnerability was reported to eBay which has implemented security precautions to prevent access to third-party invoices (those who you are not a seller of).
Vulnerability Details
Open http://www.ebay.co.uk/ in Firefox (any recent version in default config should work)
Research was done on ebay.co.uk but also verified on different other eBay country sites.
Sign in into an active ebay seller account.
NOTE An eBay account is considered active if at least one transaction activity, like listing an auction, selling an item, purchasing a subscription etc. has been invoiced.
Click on “My eBay” –> “Account”
Select any invoice and click “Go”
ebay_image_1
The specified invoice will now open.
You now want to click the “seller account” link.
ebay_image_2
You will see the overview invoice dashboard again.
Select the same invoice you just chose again and hit “go”
A new browser window will open. (or at least a message informing about a popup window. If the popup message shows, just allow popups for this site).
The new browser window will contain the same invoice, but will show a different URL in the address bar.
Have a look at the URL line, it should now look like this:

http://cgi3.ebay.co.uk/ws/eBayISAPI.dllViewInvoice&cid=007&acctpagetype=1&invoiceMonthYear=2:2014:241033060:21:false

You can now modify the bill ID and change it´s value, in this example the bill ID is “292771160“, you can change it to lower or higher values like 292771141 or 292771154.
If an eBay user with the ID 292771141 or 292771154 generated any invoice within this date index, you can open this users invoice just by loading the modified URL line, which should read like this for ID 292771154:

http://cgi3.ebay.co.uk/ws/eBayISAPI.dllViewInvoice&cid=007&acctpagetype=1&invoiceMonthYear=2:2014:241033054:21:false

User data is exposed this way because you can access anyone´s invoice just by entering the bill ID for any given date index.
Instead of opening your own invoice you will open someone else´s invoice.
Known limitations and prerequisites:
 

  1. You need an active ebay account with at least one actually invoiced activity within the last 18 month
  2. You can only access bill IDs within a month you actually received an invoice, like in this example the invoice for February 2014: 2:2014:292771160:21: The last two digits ( 21 in this example) represent the database index ID. Ebay raises this number about every six month. So, for Feb 2014 it shows 21 while in Mai 2015 it raised to 24