Threaded Mode | Linear Mode

wayoutwest · 04-05-2006, 07:15 PM,

i tried to do some javascript on my Me page and ebay rejected it (was a javascript to pull in an RSS feed) so it looks like theyre tightening up in some regards. still, though, way too easy to do malicious code in listings.

***mandy*** · 04-28-2006, 08:13 AM,

The US Department of Homeland Security's US-CERT issued another security alert on 27 April 2006 that viewing listings on the eBay web site may be dangerous. This is the same problem eBay has known about for over 1 year and that its spokesperson Catherine England publicly stated it has no intention of fixing. Its users being the possible victims of identity theft is apparently of no concern to the company. : Smile

Quote:US-CERT National Cyber Alert System
SA06-117A-Scripts in eBay Postings May Enable Phishing Attacks
Original release date: April 27, 2006
Last revised: --
Source: US-CERT

Systems Affected

The eBay web site may contain pages that affect various web browsers.

Overview

A vulnerability in the eBay web site may allow an attacker to steal personal information from eBay customers.

Solution

Verify the legitimacy of eBay web pages

Attackers may use the vulnerability to perform a phishing attack. Make sure that the URL is accurate, and check the web site certificate to make sure that you are visiting an authentic eBay web page.

Description

eBay allows users to incorporate a type of code, also known as scripting, into the auction descriptions on its web site. An attacker can use this code to modify pages on eBay's web site or redirect you to a malicious web page. These may appear to be legitimate eBay web pages that request personal information. Using these techniques, an attacker may be able to collect your passwords, credit card numbers, or other personal information.

Please see US-CERT Vulnerability note VU#808921 for details and additional workarounds.

References

* US-CERT Vulnerability Note VU#808921 -

http://www.us-cert.gov/cas/alerts/SA06-117A.html

US-CERT also issued a vulnerability note regarding the eBay web site on 2 April 2006: http://www.kb.cert.org/vuls/id/808921

**Kristijntje** · 05-18-2006, 04:04 PM,

This quote from Auctionbytes 5.18

Quote:Some users had complained they were receiving error messages relating to Javascript, leading one to speculate, "Apparently, eBay is tightening some of its JavaScript rules, and I think today was a harbinger of that." Some scammers have used Javascript vulnerabilities to spoof eBay listings (http://www.auctionbytes.com/cab/abn/y04/m10/i04/s01). An eBay spokesperson did not get back to AuctionBytes by press time to address the Javascript issue.

http://auctionbytes.com/cab/abn/y06/m05/i18/s01

***mandy*** · 03-13-2008, 12:15 PM,

It has been 2 1/2 years since this thread started and eBay has yet to fix the cross site scripting vulnerability on its site :blinkie:

Quote:Saying it was tired of waiting for eBay to fix a security problem on its platform that has existed for years, German watchdog group Falle-Internet.de exposed the vulnerability to journalists in a live demonstration on Tuesday. Falle-Internet.de was able to display reporters' eBay account information on a special page once reporters had visited an eBay Germany listing that contained malicious code similar to that used by scammers...

The contact at Falle-Internet.de said he's been monitoring this vulnerability for several years and that hackers are using it for phishing campaigns. Are they using it to hijack PowerSeller accounts? "They are hijacking any type of account, but PowerSellers are preferred. There are various techniques - spoof mails are sent inside the eBay system, or they insert malicious code in auctions," he said, adding that scammers also use Watched-auction data to send fake Second Chance Offers (SCO) for items victims are watching.

According to Falle-Internet.de, it has found huge collections of eBay cookies on the web. "This site is assigned to Romanian criminals, together there were stored drafts for automated fake SCO sending in different languages." ...

full article and screenshots: http://www.auctionbytes.com/cab/abn/y08/m03/i13/s01