Steps to replicate:
- Login to ebay.com.au with correct credentials
- Navigate to he home page
- Hover the mouse to the top left hand corner under the "G'Day <First Name>"
- Be greeted with a hover over panel with <First Name> <Last Name> in plain sight.
Conducting a Wireshark trace illustrates the issue. A sting search in packet details for GH_alertData will display the first / last name.
Why is this bad:
Potentially a hacker can gain easy access to your first, last name and ebay id and use this info to produce a phishing email or collect this data for further attacks.
Where can this happen:
The most likely place for this to happen is over an unencrypted wireless network, i.e at the airport or the cafe. Wired networks are also vulnerable.
What can ebay do:
Secure their website by using the https protocol for the entire website.
What else sucks:
On a internet connection that can stall, i.e 3G/wifi, the hover function can time out and throw up the message, "We're sorry, there was a problem retrieving this information". Now the user can easily log out without refreshing the page.