AuctionBytes Blog
Covering auctions, collectibles and marketplace selling.

AuctionBytes Blog The AuctionBytes Blog has been giving a voice to online merchants since its launch in 2005. Named one of the world's top 30 blogs in 2008 by "Blogging Heroes." Weigh in with your thoughts on the joys and pitfalls of selling online.
Thu Mar 13 2008 05:57:24

eBay Watchdog Security Demo

By: Ina Steiner

Sponsored Link

Falle-Internet.de invited us to be witness to what they said would be a demonstration of an eBay security vulnerability. We signed into eBay at the appointed time and visited a listing they had created on eBay Germany. On another computer we were monitoring a page Falle-Internet.de had set up that they said would display our eBay account information as soon as we had visited their eBay listing. Sure enough, it did.

This is a known cross-site scripting vulnerability, and eBay said they have software to detect malicious code on eBay.com, and policies in place in eBay Germany to prevent listings like this from launching.

In Thursday's Newsflash, we are publishing a full account of this demonstration.

Falle-Internet.de sprung from an eBay Germany chat room on security issues. Our contact said the watchdog group was frustrated with eBay Germany's lack of attention to the problem and that's why they conducted the demonstration.

 




Comments (21) | Permalink

Readers Comments

eBay Watchdog Security Demo   eBay Watchdog Security Demo

by: CEP

Thu Mar 13 08:06:18 2008

Can we now assume they wont be getting the better business Presidents award?

"eBay Inc. will receive the BBB President’s Award for sustained superior performance. “In just 13 years, eBay had truly changed the marketplace and shaped the definition and expectation of trust between buyers and sellers,” said Cole. “eBay has demonstrated clear leadership and fostered trust between members by keeping the marketplace safe for consumers around the globe.” He also mentioned that eBay is “a model for active, meaningful involvement in communities.”"

eBay Watchdog Security Demo   eBay Watchdog Security Demo

by: Scot Wingo

Thu Mar 13 09:24:39 2008

I'm confused.  If eBay has software to not allow these kinds of listings, then how did Falle-Internet.de get the listing on eBay?  Or was it not really on eBay?

Are they saying that the protection software eBay has doesn't work?

Scot

eBay Watchdog Security Demo   eBay Watchdog Security Demo

by: John LaRouche

Thu Mar 13 09:51:01 2008

Intertesting article. As a side note, eBay Live Auctions will sometimes open the Java applet with an address bar which can be modified with eBay usernames. Java applet windows are not supposed to open with an address bar.

eBay Watchdog Security Demo   eBay Watchdog Security Demo

This user has validated their user name. by: David Steiner

Thu Mar 13 10:13:26 2008

Scot,

The auction with the malicious code was listed on eBay.de. We were able to pull up the listing by searching on the US site. According to eBay, they handle this type of situation differently on the US and German sites.

eBay Germany uses a policy that doesn't allow a user to list auctions with JS or Flash unless they have 500 feedback or 500 days on the site. This user account only had 15 feedback, but met the 500 day requirement.

We were told that eBay.com uses software to scan listings for malicious code, and that this listing would never have made it onto the US site. However, if you can pull international listings up via eBay.com search, I suppose that it doesn't much matter if your US site has a detection engine if all the eBay.xx sites aren't on the same page.

David

eBay Watchdog Security Demo   eBay Watchdog Security Demo

by: Lisa

Thu Mar 13 11:38:15 2008

YIPPEE!
HA HA HA HA HA HA HA
FEEBAY IS SOOO BUSTED!
(NOT GRAMMATICALLY CORRECT, I KNOW...) BUT, IT FELT SO GOOD TO WRITE IT!

eBay Watchdog Security Demo   eBay Watchdog Security Demo

by: Mary

Thu Mar 13 12:31:54 2008

eBay should spend some of their time addressing major security issues, as opposed focusing on how to infuriate its seller base. Why are government agencies such as the FTC not investigating eBay, it's business practices and lack of security?

eBay Watchdog Security Demo   eBay Watchdog Security Demo

by: Gail

Thu Mar 13 12:46:50 2008

eBay has continually blamed its users for giving away their own personal information.  Hopefully, this article will lay open their broad brushed excuse to scrutiny.  

Rather than plugging known security holes, eBay has methodically destroyed the transparency of its site.  One minor solution might be to do away with Second Chance Offers, or is it already too late for that?

Why doesn't eBay eliminate js from its user defined areas? The answer is simple....the major use of js and flash in the description area is by powersellers. Draw your own conclusions.

eBay Watchdog Security Demo   eBay Watchdog Security Demo

by: Scot Wingo

Thu Mar 13 14:11:43 2008

Hi David,

Thanks for the clarification.  One more question - when the malicious code revealed your user information was it just your ebay user ID, or was it able to get your password/location or other private elements?

Scot

eBay Watchdog Security Demo   eBay Watchdog Security Demo

This user has validated their user name. by: David Steiner

Thu Mar 13 15:27:33 2008

Scot,

When we visited the auction, after being logged into eBay normally, the following account information was displayed to us:

IP
Timestamp (time that we visited the auction)
Street Address on file with eBay
Username
Secret Question (not the answer)
Email address
Full Bank Routing Number
Last 4 digits of Bank Account
Last 4 digits of Credit Card Number
CC Expiration Date
Watched Items
Favorite Sellers
Account Balance (we had 0, so it didn't display - I can only assume this would have worked)

When we clicked on the "Place Bid" button, the following additional information was displayed:

IP
Timestamp (time that we BID on the auction)
Username
Password

Screen shot can be found here: http://www.auctionbytes.com/exploit/exploit_L4.jpg
there are some details that I crossed out for obvious reasons.

The password displayed is not the real password for this account. I don't believe there is a way to extract the encrypted password of a user simply by visiting the auction.

According to the person giving the demo, I could have entered any password and it would have displayed, however, there is enough information revealed just by visiting the listing, that a scammer could use fake SCO's or other phishing techniques using the account holder's personal information, to extract the password from the user.

eBay Watchdog Security Demo   eBay Watchdog Security Demo

by: Ann Farmer

Thu Mar 13 16:47:38 2008

I am one of many who are not computer savvy and don't understand some of the terms used in this article. If I understand correctly, computer hackers can alter any of my listings on ebay, using them to collect information on both me and my buyers. Reading eBay's response of not allowing scripting for low volume/new sellers, how was the German listing corrupted, when the seller only had 15 feedback?  
I am not surprised that eBay has done nothing to protect us and my account was taken over in the summer of 2006. Luckily, I was online doing listings, when all 184 store listings disappeared. Suddenly I had to auctions for bicycles posted under my user name. I phoned eBay immediately, changed passwords, etc so I was able to nip it in the bud that time. What made me so angry was eBay accusing me of providing my info to the theif or responding to spoofs. I had forwarded over 200 spoof emails to ebay in just one month prior to this happening. I do check all headers, never respond to anything that doesn't come through ebay email but I have since stopped bothering sending anything to eBay.
I am one ebayer who has all but abandonded ship and after reading this, I am glad I have.
Will someone more knowledgable,  please spell this out for me?
I know I must keep Java updated and that refers to script but I don't even know what that means. Why won't ebay fix this problem, if it's this simple?
Any help would be appreciated. I did link my email address.
Ann

eBay Watchdog Security Demo   eBay Watchdog Security Demo

This user has validated their user name. by: Ming the Merciless

Thu Mar 13 18:40:43 2008

One wonders how ebay explains away the hacker Vladuz and how he or she has managed to hack into ebay USA numerous times.

On the most recent occasion that I'm aware of, Vladuz captured not just the last four digits of sellers' credit card numbers but the entire number and then posted hundreds of sellers' IDs, passwords, credit card numbers, etc. in several internet locations.

If this is ebay's idea of "security," we're all in trouble. But then this is nothing new. It's *always* been this way.

Ebay has always operated on the cheap and dirty -- sloppy, buggy code and to hell with the harmful consequences on listings or members' personal information.

Remember, it's ALL ABOUT EBAY AND WHAT EBAY PERCEIVES TO BE THE MOST PROFITABLE FOR EBAY.

Ebay doesn't care whether your credit card(s) is compromised, whether your account is compromised, whether your listings are saboptaged, or whether your identity is stolen because of their laughable, inept, "security."

After all, there's no financial damage to ebay when things like happen only to you, and YOU don't matter in the grand ebay scheme of things except for how much money that can squeeze out of you for services they often don't perform or provide.

Can you spell pathological liars?

eBay Watchdog Security Demo   eBay Watchdog Security Demo

by: dee

Thu Mar 13 21:44:56 2008

This isn't really news as the exploits have been known for several years - by both eBay and hackers, phishers and assorted pond scum...

It would be news if eBay fixed the problem and prevented cross-site scripting exploits but I'm afraid their paid code monkeys only get peanuts as rewards. Now if they used real programmers then they might stand a chance - yeah, right!

eBay Watchdog Security Demo   eBay Watchdog Security Demo

by: Mike

Thu Mar 13 23:10:15 2008

Both eBay buyer's and seller's spend a great of time whining about eBay. They get together and boycott eBay. eBay could care less and spin every story (no matter what the subject) to their own conclusion. They have the mentality that they're big enough, arrogant enough and bold enough to tell their buyer's and seller's ''take it or leave it''. One day, someone will come up with the eBay alternative. I can't imagine that there's not an individual or small group who are working in their garage or basement on a code and site design that could put eBay to total shame. In fact, shame on eBay and its quasi management team for taking what was a great place to sell and buy stuff and turning it into a place which people love to hate. What's even more astounding is that eBay is nothing more than a website - no brick and mortar - no real value - no real assets other than the assets they go out and buy to put their own sellers out of business. Maybe, I'm off-topic at the moment but, I bet that if 100 of the top sellers on eBay got together in a room and put up $25,000 a piece they could build an auction site and venue to rival eBay. All it takes is getting the right people together and if thousands could get together and boycott eBay then it stands to reason that those people could also form an alliance to build the next best thing:-)

eBay Watchdog Security Demo   eBay Watchdog Security Demo

by: Mike

Thu Mar 13 23:31:23 2008

One more thing (I just have to let loose here). eBay talks about and boasts - it's a community of buyers and sellers. Okay, I'll go along with that tagline, however, this is also people who rely on eBay for a living. You have mom's and pop's out there supplementing their income through eBay, you have entrepreneurs who quit their jobs a few years ago and went to eBay to open a full time business, you have people who simply rely on this quasi-coded giant for a living. eBay uses its top sellers to ''sell'' eBay and its ideals. Yeah, come on over and make a million on eBay or, work full time from home or, get a free disk on how to sell on eBay and the best yet, get an education at eBay's University and graduate with honors. Then there's the Certified eBay Developer's Program and guess what? You too can all make a living helping eBay figure out its own coding problems. eBay then gets people to buy into its eBay Drop Off Stores and we all know how many have lost their shirts on that one. Yes, eBay is a community of buyers and sellers who ''bought in'' to an ideal promoted through the cunning use of the media and a viral marketing campaign. Then the changes begin to transform eBay into something other than it was. eBay starts buying sales channels, selling off its ad space through Yahoo and sends traffic into off-eBay venues which don't even have an eBay store. Meg decides it's time to retire and Bill is leaving. What great timing. Let's not stop there, let's revamp the Feedback system, change the search and turn eBay into a wannabe Amazon. All the while, eBay is funding all of these changes with the fees of sellers who keep coming back for more. You see folks, eBay's money supply is PayPal fees, eBay seller fees and they just get to keep charging those credit cards each and every month, building their cash flow and make themselves stronger while the sellers get weaker. eBay is NOT just venue, it's a depository of sales channels and they simply gobble up anything and everything they can. Look at MercExchange. Lawsuit for millions and appeal after appeal, what does eBay do? They buy the patents after putting the plaintiff through years of hell. Look at what they did to PayPal, banned them from eBay sellers using a decent service and then bought them up when the time was right. The future is on the wall and eBay is so predictable that you can see the future now and that future does not include sellers.

eBay Watchdog Security Demo   eBay Watchdog Security Demo

by: companyexposed

Fri Mar 14 10:09:49 2008

This vulnerability is known to eBay for a very long time, also see

http://ar3av.free.fr/faille-ebay-en.php

August 2007 page by another user who contacted eBay with a knowledge of this security hole.

Sum of all things:
A. eBay knows that their site can be hacked using flash XSS

B. eBay refuses to eliminate these dangerous flash embedded files from the site even after numerous reports and proofs by concerned members and media.

A+B=C. eBay chooses to lookout for it's own profits as it claims that only a negligible portion of flash injects are these dangerous phishing injects and it is more important to eBay that sellers have a flash enhanced listings so eBay can draw more fees for more items sold.

What are a few hundred thousand compromised eBay user ID's compared to potential FVF fees that would eBay not make?  In eBay's philosophy those compromised users must be just casualties of eBay's profit taking.

eBay Watchdog Security Demo   eBay Watchdog Security Demo

by: dimes

Fri Mar 14 16:22:05 2008

Here’s a news article from exactly three years ago this month in which eBay claimed to be rolling out a fix “in the next few days”.
http://www.betanews.com/article/eBay_Redirect_Becomes_Phis
hing_Tool/1109886753

Here’s
one from October 2007 about a gang of German crooks who use stolen UK user ID’s to post fake car listings.
http://technology.timesonline.co.uk/tol/news/tech_and_web
/the_web/article2702642.ece

And
here’s eBay the other day, blaming the problem on governments disinterested in cracking down on the criminals who exploit the security holes eBay designed into its website.
http://www.builderau.com.au/news/soa/eBay-fraud-of-no-conc
ern-to-Eastern-Europe/0,339028227,339286697,00.htm

However,
eBay does apparently allow some outside parties to have direct access to its database, according to a couple dozen stories that surfaced a couple of weeks ago after this blog was posted: http://realitybasedcommunity.net/archive/2008/02/scientology_abu_1.php


As
eBay has remained silent on this issue, perhaps it could let us know how many other VERO members have been given keys to let themselves in and do their own takedowns.

eBay Watchdog Security Demo   eBay Watchdog Security Demo

by: 407779

Fri Mar 14 20:55:54 2008

Dimes has a good point. However, if that were the case, Tiffany would not have sued eBay. Can't wait for that decision to come down. By the way, hats off to auctionbytes for allowing these boards to exist.

eBay Watchdog Security Demo   eBay Watchdog Security Demo

by: companyexposed

Mon Mar 17 09:04:34 2008

This blogger just published over thousands eBay user logins/password/user location

They found the list elsewhere online and mentioned the original list was already pulled by FBI

They mention this list came from hacked eBay database

http://journals.aol.com/mhogue3909/taking-on-ebay/


I
doubt this list will last logn, but while it does, go there, there and see if your eBay login has been hacked and republished - CHANGE YOUR EBAY PASSWORD OFTEN!

eBay Watchdog Security Demo   eBay Watchdog Security Demo

by: dimes

Mon Mar 17 11:27:50 2008

From what I can tell by checking the feedback count on the hacked ID's, it looks like this particular hack occurred between November and December 2001.

Anyone see feedback counts that match more recent dates?

eBay Watchdog Security Demo   eBay Watchdog Security Demo

by: dimes

Tue Mar 18 13:50:16 2008

There is a fairly obscure thread on the eBay T&S board about an XSS attack that occurred last month on eBay's Korean site that resulted in a hacker obtaining personal data on 18 million (that's MILLION) users.  Apparently the hacker contacted the company in an attempt to ransom the data.

It's unclear as to whether the users are all located in S Korea, or if other eBay sites were affected.

For whatever reason, this story has escaped media attention.

The eBay thread:
http://tinyurl.com/24apeo

The news story that appeared on Dark Reading, a tech website:
http://tinyurl.com/yreb7j

The Web Application Security Consortium incident report:
http://tinyurl.com/yntnzt

Finally, current eBay.com search results for do-it-yourself hacker kits:
http://tinyurl.com/yqro9o

Click to view more comments
1 2  [Next Page]


Login is required to post comments.
To sign in to leave a comment using your AB Verify User Name, fill in the form below. If you have not yet signed up for AB Verify, or if you'd like more information, go to the Registration Page
.

Login for AB Verify
Be sure and use your email address and password to log in.

 
Email:
Password:
 
 Forgot Your Password?
 Even though you are signed in with the AuctionBytes Blog, you will have to sign in to the EcommerceBytes blog. But you can sign in with your existing AB Verify info.