Ebay sniping services - are passwords stored in plaintext?

We can't really tell you how specific services implement this functionality.

But we can tell you what is possible:

  1. They store the credentials. This cannot be happening in hashed form, as the plaintext password is required. At most, it is stored in encrypted form, meaning that all passwords will be leaked if an attacker gains access to the key. If you have to enter your ebay password when signing up with the service, you can assume that this case applies. I would strongly suggest not to expose your password to third services.
  2. They use the ebay API [*]. It uses tokens to authenticate a user, so the user doesn't actually enter their password on any third-party sites, but instead, those sites get an access token.

[*] This is speculation. Theoretically, it should be possible to implement sniping functionality via this API - it provides bidding and authentication functionality -, but I did not try to implement it in practice.


would the passwords on these services be stored in plain text

Since they need your plain text password to log into ebay they would need to store it either as plain text or encrypted in a reversible way (i.e. not hashed). In the latter case there must be some way to decrypt the password, i.e. either a readable key or a library which does the decryption (and which could interface with some hardware based secure storage).

While the exact details are specific to each service you can summarize that if the service gets hacked your password will probably get exposed, either directly because it was stored plain text or indirectly because it was decrypted.