Main Index | Search | New user | Login | Who's Online | FAQ

Configuration
   >> Auction Profiles 		Thread views: 16391 Flat Mode*

Pmack
(stranger )
10/23/07 12:54 PM
Re: problem with profiles [re: bluepennylady]  

Hi Judy, thanks for the quick reply. Here are some clarifications.

Although my post was unclear, I have been changing the User ID field in addition to the profile name. This is why I was so confused.

I expected the API to submit the new username to eBay for authorization and expected it to fail because I hadn't given it an authorization.

I expected that since I changed both my username AND password, AW wouldn't be able to log into my account. After all, I gave permission for it to access "One", which no longer exists. Somehow, AW is able to get around this.

So I did a bit of testing, and I am horrified to report that AW has a MASSIVE security hole.

To give a little more background detail, I made the name change on my original account ("One" to "One_Old") on September 5. and opened the new account ("Two") on the same day. I had not logged in or used "One_Old" since Sept 5. I started using "Two" on October 5, after 30 days had passed (so I didn't have a new icon next to my name). I posted a few auctions manually, but only yesterday, Oct 22, did I attempt to use AW to post an auction.

This is important, because at no time did I ever enter the username "One_Old" into AW. I did not accidentally type it in somewhere. On Oct 22, in the course of trying to fix this problem, I changed the password on the "One_Old" account through eBay. As it stands right now, if I gave you the username and password that I supplied to AW and asked you to log into my account, your login would fail. It does not fail for AW, and that's the security hole.

AW bypasses the eBay login ENTIRELY. If you change your eBay password for security reasons, your account can still be accessed by anyone who can restore one of your database backup files.

I just performed another test. I am typing this on a laptop with an installation of AW that I haven't used since August. I just started it up and posted an auction" The profile and auction ID say "One", but the auction posted to One_Old". AW is blissfully unaware that the username and password on the account have been changed. It appears the Auction User ID field has no effect, and that the profile itself has authorization. What you type is irrelevant.

Dave

 
Entire thread
Subject  Posted byPosted on
*problem with profiles  Pmack10/22/07 03:29 PM
.*Re: problem with profiles  bluepennylady10/22/07 04:25 PM
..Re: problem with profiles  Pmack10/23/07 12:54 PM
.*Re: problem with profiles  AuctionWizardAdministrator10/23/07 01:31 PM
.*Re: problem with profiles  Pmack10/23/07 03:45 PM
.*Re: problem with profiles  bluepennylady10/23/07 03:48 PM
.*Re: problem with profiles  bluepennylady10/22/07 03:47 PM
Jump to

www.AuctionWizard2000.com | Contact Us Forums powered by WWWThreads