Researchers at the New York University (NYU) have found a major security flaw in eBay that can expose the purchase history of a buyer to any site visitor.
According to the paper, titled "I Know What You’re Buying: Privacy Breaches on eBay", the purchase history of the buyer can include sensitive products like at-home medical tests for HIV or pregnancy and items including gun accessories.
eBay has a public section named "Feedback as a Buyer", where seller can post a comment about the buyer.
According to the research, 70% of sellers give feedback for buyers, but the researchers claimed that a user does not need to register their name in order to see the section which is entirely public.
The researchers also added that by going to a seller’s feedback page, one can match the time stamp of the sale and identify the purchased item.
NYU Shanghai’s Dean of Engineering and Computer, Keith Ross, said: "This breach can be exploited on a scale ranging from a snooping spouse or an employer investigating an individual’s buying habits to a large-scale, automated attack that could quickly link millions of people with their purchases.
"This is exactly the kind of information that could be very valuable to marketers, cybercriminals, or even law enforcement officials."
Tehila Minkus, co-author of the study, said: "This privacy loophole can provide leads for law enforcement or private investigators looking for unregistered gun owners, but it can also give private information to background-check providers or data aggregators who want to include gun ownership in their records."
The researchers recommended that eBay users use two separate accounts: a public account for selling goods and a private account for purchasing.
