EBay's security team isn't going to get a break for a while.
Following an attack disclosed last week that exposed sensitive information of up to 145 million people, the auction giant is scrambling to repair several other problems reported in its vast network by security enthusiasts.
"As a company, we take all vulnerabilities reported to us very seriously, evaluating any reported issue within the context of our entire security infrastructure," wrote Ryan Moore, lead manager of eBay's business communications, in an email to IDG News Service.
EBay has long been a target for cybercriminals. It is the seventh most visited site in the U.S, according to statistics from Amazon's Alexa Web analytics unit. Its combination of a marketplace and payments platform, PayPal, means it holds sensitive data and poses opportunity for fraudsters.
Three U.S. states — Connecticut, Florida and Illinois — are jointly investigating eBay's data breach, a sign that regulators and law enforcement are taking a keen interest in how consumer data is protected following Target's data breach last year.
EBay's size puts it in the league of companies such as Facebook, Google and Microsoft. All run large networks constantly prodded by "black hat" hackers, those who are seeking to damage a company or profit from attacks, and "white hats," who alert companies to problems.
Yasser Ali, a 27-year-old who lives in Luxor, Egypt, said it took him all of three minutes last week to find a serious vulnerability that could let him take over anyone's eBay account if he knows a person's user name, which is public information.
Ali shared a video with eBay showing how the flaw could be exploited, he said in a phone interview Tuesday night. He hasn't received a response from eBay, but said the video was viewed by company officials 17 times, according to a statistics counter on the clip. Moore said eBay has now fixed the bug, and Ali plans to release details of it.
Ali, who quit his job as a mechanical engineer last month to focus on information security, has found other bugs before in eBay and is named in a list of security gurus who have helped out. But he said he has little incentive to continue analyzing eBay since the company doesn't pay for vulnerability information.
"They are not like Google's security team, and they are not like Facebook," Ali said, noting those companies have close ties with the research community. "This will kill their reputation."
Google, Facebook, Yahoo and others pay independent researchers rewards up to thousands of dollars for security information. The payments are an incentive for security enthusiasts, who spend long hours on their own time to look for flaws.
Sign up for Computerworld eNewsletters.