Researchers say an eBay flaw exposes shoppers’ past purchases

The loophole could expose sensitive purchases, such as at-home medical tests, says a new report.

Zak Stambor

A flaw in a section of eBay where buyers and sellers can offer feedback allows online marketplace visitors to view other shoppers’ past purchase histories, including highly sensitive purchases, such as at-home medical tests, according to a new report by two New York University researchers.

The report, “I know what you’re buying: privacy breaches on eBay,” says the flaw is contained on the “Feedback as a Buyer” page where sellers can leave feedback for buyers that is accessible from every eBay user’s profile page. The feedback section, which is public—a user does not have to sign into eBay to access the information—also lets sellers leave a record of his user name and the time of sale. While the site doesn’t disclose the actual item purchased, a user can visit the seller’s feedback page and match a sale’s time stamp to identify the purchased item.

Even when more than one sale matches the time stamp, which may happen with automated sales, the researchers were still able to identify purchase histories because eBay assigns a pseudonym to each user name listed in sales records and the online marketplace follows a formula to assign that pseudonym. The researchers were then able to get the username for the person who bought the item in nearly every case. In a test database of 5,580 feedback records, the researchers matched 96% of buyers’ feedback records to a single seller’s feedback record along with complete purchase details.

In some cases, the researchers could gather even more information about buyers. They linked 17% of the 131,000 eBay user names in one database back to those consumers’ Facebook profiles, revealing more information about those shoppers.

The researchers say they have notified eBay of their findings and suggested ways to plug the privacy gaps, but that the online marketplace has not yet made any changes. An eBay spokesman says the report's characterization of the "supposed" security flaw is "grossly inaccurate." 

"Our marketplace was designed to function with a high degree of transparency," he says. "Transparency creates trust between a buyer and seller, and trust is essential to a global marketplace. Under the current system, unless a buyer discloses his user ID to another person, no one will be able to discern his purchase history. Buyers can ensure their purchase history is not linked to their identities by choosing a user ID dissimilar to their actual name, preventing third-parties from identifying them through social media platforms." 

Tehila Minkus, one of the researchers, who is a PhD candidate in NYU’s computer science and engineering department, disagrees. She says that eBay's system, which enables users to discover what other shoppers are buying, could have a big impact on consumers.

“While compiling data on purchasers of pregnancy or at-home HIV test is useful to a fairly limited group—perhaps advertisers or pharmaceutical companies—assembling a database of those who have purchased gun accessories may have considerably more impact.”

EBay doesn’t enable merchants to sell gun accessories on its marketplace, but they can sell gun-related accessories like gun holsters that indicate that a buyer likely owns a gun. In their research, the researchers found sales records for more than 292,332 gun holsters purchased by more than 228,332 consumers. Of those, they found 35,262 eBay accounts linked to their Facebook accounts.

Those findings demonstrate that the privacy loophole can provide leads for law enforcement officers and private investigators looking for unregistered gun owners, as well as expose private information to other organizations, such as those that perform background checks or aggregate consumer data.

EBay could fix the patch, Minkus and her collaborator Keith Ross say, with some simple steps. For instance, the online marketplace could change the default setting of seller’s feedback to buyers so that the comments would be public but the actual item sold would not be linked on either the buyer’s or seller’s pages.



e-payments and security, eBay Inc., New York University, online marketplaces