Posted July 17th, 2014
Buyers and sellers using the online marketplace eBay may be revealing far more than their interest in vintage furniture or video games. Researchers at the New York University Polytechnic School of Engineering and NYU Shanghai have discovered a privacy flaw that allows site visitors to view a buyer’s complete purchase history—including sensitive items like gun accessories and at-home medical tests for pregnancy or HIV.
Keith W. Ross, Dean of Engineering and Computer Science at NYU Shanghai and the Leonard J. Shustek Professor of Computer Science and Engineering at the NYU School of Engineering, presented the paper co-authored with doctoral candidate Tehila Minkus, “I Know What You’re Buying: Privacy Breaches on eBay” at the Privacy Enhancing Technology Symposium this week in Amsterdam.
Minkus and Ross began their inquiry when Minkus, herself an eBay user, was browsing the feedback section of a would-be purchaser’s eBay profile following a botched transaction. “Feedback as a Buyer” and “Feedback as a Seller” are essential features of the eBay marketplace, allowing users to leave comments on their purchase experiences to create trust and foster confidence during transactions.
While reviewing this particular buyer’s feedback, Minkus noticed that, with very little effort, she was able to obtain a list of all of his previous purchases. Further probing revealed a substantial privacy loophole in the eBay marketplace, one that can expose highly sensitive purchases, such as gun accessories or at-home medical tests.
“This breach can be exploited on a scale ranging from a snooping spouse or an employer investigating an individual’s buying habits to a large-scale, automated attack that could quickly link millions of people with their purchases,” Ross said. “This is exactly the kind of information that could be very valuable to marketers, cybercriminals, or even law enforcement officials.”
The privacy flaw operates as follows: Every eBay user’s profile includes a “Feedback as a Buyer” page, where those who have sold items to that person can post comments. An estimated 70 percent of sellers leave feedback for buyers, and this section is entirely public—a user need not even sign into eBay to access this information. Along with their comments, the seller also leaves a record of his or her own username and the time of sale but does not disclose the actual item purchased. By visiting the seller’s feedback page, however, it is relatively easy to match the time stamp of the sale and thus identify the item that was purchased.
In the event that more than one sale matches the time stamp, which may happen with automated sales, the researchers still found it fairly straightforward to identify purchase histories. eBay assigns a pseudonym to each username listed in sales records, and that pseudonym follows a formula that makes deriving the username possible in nearly every case: In a test database of 5,580 feedback records, the researchers matched 96 percent of buyers’ feedback records to a single seller feedback record, complete with purchase details.
In some cases, the researchers were able to take this attack one step further: Among a database of nearly 131,000 eBay usernames, they were able to link 17 percent to Facebook profiles, thus revealing the users’ real names.
“While compiling data on purchasers of pregnancy or at-home HIV tests is useful to a fairly limited group—perhaps advertisers or pharmaceutical companies—assembling a database of those who have purchased gun accessories may have considerably more impact,” said Minkus.
She explained that while eBay does not sell firearms, the marketplace does sell a wide array of gun-related accessories. For this study, the researchers searched for those who had purchased gun holsters, presumably an indication of gun ownership. They recovered sales records for more than 292,827 gun holsters purchased by 228,332 individuals. Of those, 35,262 were linked to full names as they appear on Facebook.
“This privacy loophole can provide leads for law enforcement or private investigators looking for unregistered gun owners, but it can also give private information to background-check providers or data aggregators who want to include gun ownership in their records,” Minkus added.
The researchers also conducted a survey of about 1,000 eBay users to gauge their expectations of privacy on the site. Surprisingly, when asked where they prefer to make a sensitive or private purchase, a plurality—nearly 39 percent—selected eBay, noting that they believed the site was a more discrete vendor than a physical store. Additionally, 38 percent of those surveyed believed that their purchase histories were visible to no one except them.
Minkus and Ross notified eBay of their findings, offering suggestions to patch the privacy flaw. Among them are changing the default setting of seller’s feedback to buyers in a way such that the comments would be public but the actual item sold would never be linked on either the buyer’s or seller’s pages. The researchers also advocate generalizing the time stamp accompanying feedback—at present, this includes a date and exact time, which is unnecessary and allows for linkages between buyers and sellers. Finally, they recommended that eBay generate random pseudonyms for buyers listed on a seller’s feedback pages rather than using a persistent pseudonym.
They recommend that eBay users maintain two separate accounts, a private profile for buying and a public account for selling.
This research was partially funded by grants from the National Science Foundation. The full paper is available at https://petsymposium.org/2014/papers/Minkus.pdf.