12-22-2005, 03:28 AM
While eBay has recently been blaming its users "clicking on links" in phishing emails for a sharp rise in account hijackings this year, it has failed to mention that a (since patched) security hole in the LiveWorld forum software it uses in 2004 provided a hole through which hackers could gain access to data on users computers who logged into the eBay forums.
This vulnerability would have allowed hackers to gain access to data a user had recently submitted through their browsers-i.e. passwords, etc.
Coincidentally or not, the number of account hijackings jumped right around the time during which this hole existed in 2004.
from August 2004:
full article (includes examples of some eBay URLs which suffered from this vulnerability): http://www.securitytracker.com/alerts/20...11036.html
The original proof of concept article from GulfTech Research: http://www.gulftech.org/?node=research&article_id=00044-08232004 . According to the article, both LiveWorld and eBay were slow to respond when presented with proof of the vulnerability in the LiveWorld software.
Also, check out this page on GulfTech: eBay was warned in January that holes existed on its site which would allow someone to place malware in a listing and successfully use the hole to hijack an account or phish personal info: it did nothing about that warning as evidenced by the recent news stories in which hackers successfully exploited this hole.
http://www.gulftech.org/?node=research&article_id=00064-01042005
This vulnerability would have allowed hackers to gain access to data a user had recently submitted through their browsers-i.e. passwords, etc.
Coincidentally or not, the number of account hijackings jumped right around the time during which this hole existed in 2004.
from August 2004:
Quote:LiveWorld Products Allow Remote Users to Conduct Cross-Site Scripting Attacks
GulfTech Security Research Team reported that LiveForum, LiveQ&A, LiveChat, and LiveFocusGroup (and possibly other products) do not properly validate user-supplied input before displaying the information. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the LiveWorld software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the LiveWorld software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
full article (includes examples of some eBay URLs which suffered from this vulnerability): http://www.securitytracker.com/alerts/20...11036.html
The original proof of concept article from GulfTech Research: http://www.gulftech.org/?node=research&article_id=00044-08232004 . According to the article, both LiveWorld and eBay were slow to respond when presented with proof of the vulnerability in the LiveWorld software.
Also, check out this page on GulfTech: eBay was warned in January that holes existed on its site which would allow someone to place malware in a listing and successfully use the hole to hijack an account or phish personal info: it did nothing about that warning as evidenced by the recent news stories in which hackers successfully exploited this hole.
http://www.gulftech.org/?node=research&article_id=00064-01042005