Buyers and sellers using the online marketplace eBay may be revealing far more than their interest in vintage furniture or video games. Researchers at the New York University Polytechnic School of Engineering and NYU Shanghai have discovered a privacy flaw that allows site visitors to view a buyer’s complete purchase history—including sensitive items like gun accessories and at-home medical tests for pregnancy or HIV.
The privacy flaw operates as follows: Every eBay user’s profile includes a “Feedback as a Buyer” page, where those who have sold items to that person can post comments. An estimated 70 percent of sellers leave feedback for buyers, and this section is entirely public—a user need not even sign into eBay to access this information. Along with their comments, the seller also leaves a record of his or her own username and the time of sale but does not disclose the actual item purchased. By visiting the seller’s feedback page, however, it is relatively easy to match the time stamp of the sale and thus identify the item that was purchased.
In the event that more than one sale matches the time stamp, which may happen with automated sales, the researchers still found it fairly straightforward to identify purchase histories. eBay assigns a pseudonym to each username listed in sales records, and that pseudonym follows a formula that makes deriving the username possible in nearly every case: In a test database of 5,580 feedback records, the researchers matched 96 percent of buyers’ feedback records to a single seller feedback record, complete with purchase details.
In some cases, the researchers were able to take this attack one step further: Among a database of nearly 131,000 eBay usernames, they were able to link 17 percent to Facebook profiles, thus revealing the users’ real names.
This research was partially funded by grants from the National Science Foundation. The full paper is available at https://petsymposium.org/2014/papers/Minkus.pdf.
Read more from PRNewswire.