Home
Home

Directory
Directory

Articles
Internet News
Security News
Ecommerce News
Domain News

Site Tools
Site Speed Test
Keyword Research
Resolve Hostname
DNS Tools
Register Domains
Affiliate Programs
Open Source

Shopping Carts
Cart Reviews
SSL Certificates

Enter your email address to subscribe to our updates:

Delivered by FeedBurner


Venue Charts
Channel Traffic Rankings
OAI Stock Quotes and Charts
eBay's Worst Feedback

Forum
Forum Home
TulipTools News
Advertising
Blogging
Computer Hardware
Domain Names
Ecommerce
Financing
Int'l Trading
Graphics and HTML
Internet Access
Legal Issues
Internet Business
Auction Sites
Classified Ad Sites
Fixed Price Venues
Operating Systems
Programming
Search Engines
Internet Security
Software
Web Hosting
Webmaster Issues
Reviews
Announcements
Off Topic Discussion

Web Hosting
TulipHosting

Domain Names
TulipDomains

Web Stats
TulipStats

Forum Rules
Forum Rules
Privacy Policy

Site Map
Forum Sitemap
Sitemap Topics




Directory| Forums| Internet News|Cart Reviews| DNS Tools| Keyword Research| Site Speed Test| Security| | Domain Marketplace| Domain Blog
TulipTools Internet Business Owners and Online Sellers Community
  • Home
  • Search
  • Member List
  • Calendar
Hello There, Guest! Login Register
TulipTools Internet Business Owners and Online Sellers Community › Online Auction Industry, B2B Trading Sites, Classified Ad Sites, Fixed Price Venues, and Malls › Online Auction Industry Discussion › Auction Sites › eBay › Frauds, Scams, and Rip Offs v
1 2 3 4 5 … 14 Next »

eBay Knew For 1 Yr.That Security Holes On Its Site Could Lead to Account Hijacks

  
Pages (3): « Previous 1 2 3
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Threaded Mode | Linear Mode
eBay Knew For 1 Yr.That Security Holes On Its Site Could Lead to Account Hijacks
04-05-2006, 07:15 PM,
Post: #21
wayoutwest Offline
Tiny Tool
**
Posts: 33
Likes Given: 0
Likes Received: 0 in 0 posts
Joined: Feb 2006
Reputation: 0
Re: eBay Knew For 1 Yr.That Security Holes On Its Site Could Lead to Account Hijacks
i tried to do some javascript on my Me page and ebay rejected it (was a javascript to pull in an RSS feed) so it looks like theyre tightening up in some regards.  still, though, way too easy to do malicious code in listings. 

Like Post Reply
[+]
04-28-2006, 08:13 AM,
Post: #22
mandy Offline
Administrator
*******
Posts: 9,932
Likes Given: 0
Likes Received: 6 in 5 posts
Joined: Feb 2011
Reputation: 0
US Government Warns Again That Listings on eBay Web Site May Contain Malware
The US Department of Homeland Security's US-CERT issued another security alert on 27 April 2006  that viewing  listings on the eBay web site may be dangerous.  This is the same problem eBay has known about for over 1 year and that its spokesperson Catherine England publicly stated it has no intention of fixing.  Its users being the possible victims of identity theft is apparently  of no concern to the company.  :Smile

Quote:US-CERT National Cyber Alert System
SA06-117A-Scripts in eBay Postings May Enable Phishing Attacks
Original release date: April 27, 2006
Last revised: --
Source: US-CERT

Systems Affected

    The eBay web site may contain pages that affect various web browsers.


Overview

    A vulnerability in the eBay web site may allow an attacker to steal personal information from eBay customers.


Solution

    Verify the legitimacy of eBay web pages

    Attackers may use the vulnerability to perform a phishing attack. Make sure that the URL is accurate, and check the web site certificate to make sure that you are visiting an authentic eBay web page.


Description

    eBay allows users to incorporate a type of code, also known as scripting, into the auction descriptions on its web site. An attacker can use this code to modify pages on eBay's web site or redirect you to a malicious web page. These may appear to be legitimate eBay web pages that request personal information. Using these techniques, an attacker may be able to collect your passwords, credit card numbers, or other personal information.

    Please see US-CERT Vulnerability note VU#808921 for details and additional workarounds.


References

        * US-CERT Vulnerability Note VU#808921 -

http://www.us-cert.gov/cas/alerts/SA06-117A.html

US-CERT also issued a vulnerability note regarding the eBay web site on 2 April 2006:  http://www.kb.cert.org/vuls/id/808921
Like Post Reply
[+]
05-18-2006, 04:04 PM,
Post: #23
Kristijntje Offline
Super Moderator
******
Posts: 1,200
Likes Given: 0
Likes Received: 0 in 0 posts
Joined: Oct 2005
Reputation: 0
Re: eBay Knew For 1 Yr.That Security Holes On Its Site Could Lead to Account Hij
This quote from Auctionbytes 5.18

Quote:Some users had complained they were receiving error messages relating to Javascript, leading one to speculate, "Apparently, eBay is tightening some of its JavaScript rules, and I think today was a harbinger of that." Some scammers have used Javascript vulnerabilities to spoof eBay listings (http://www.auctionbytes.com/cab/abn/y04/m10/i04/s01). An eBay spokesperson did not get back to AuctionBytes by press time to address the Javascript issue.

http://auctionbytes.com/cab/abn/y06/m05/i18/s01
Al draagt een aap een gouden ring, het is en blijft een lelijk ding
Like Post Reply
[+]
03-13-2008, 12:15 PM,
Post: #24
mandy Offline
Administrator
*******
Posts: 9,932
Likes Given: 0
Likes Received: 6 in 5 posts
Joined: Feb 2011
Reputation: 0
Re: eBay Knew For 1 Yr.That Security Holes On Its Site Could Lead to Account Hijacks
It has been 2 1/2 years since this thread started and eBay has yet to fix the cross site scripting vulnerability on its site :blinkie:

Quote:Saying it was tired of waiting for eBay to fix a security problem on its platform that has existed for years, German watchdog group Falle-Internet.de exposed the vulnerability to journalists in a live demonstration on Tuesday. Falle-Internet.de was able to display reporters' eBay account information on a special page once reporters had visited an eBay Germany listing that contained malicious code similar to that used by scammers...

The contact at Falle-Internet.de said he's been monitoring this vulnerability for several years and that hackers are using it for phishing campaigns. Are they using it to hijack PowerSeller accounts? "They are hijacking any type of account, but PowerSellers are preferred. There are various techniques - spoof mails are sent inside the eBay system, or they insert malicious code in auctions," he said, adding that scammers also use Watched-auction data to send fake Second Chance Offers (SCO) for items victims are watching.

According to Falle-Internet.de, it has found huge collections of eBay cookies on the web. "This site is assigned to Romanian criminals, together there were stored drafts for automated fake SCO sending in different languages." ...

full article and screenshots: http://www.auctionbytes.com/cab/abn/y08/m03/i13/s01
Like Post Reply
[+]
« Next Oldest | Next Newest »
Pages (3): « Previous 1 2 3




Possibly Related Threads…
Thread Author Replies Views Last Post
  German court orders eBay to do more to fight counterfeits on its site mandy 0 2,019 07-28-2007, 09:33 AM
Last Post: mandy
  How was eBay able to get into our bank account? mandy 0 1,953 05-08-2007, 08:40 AM
Last Post: mandy
  eBay's security problems: Vladuz and account hijackings via redirect page on eBay mandy 26 10,904 03-15-2007, 08:56 AM
Last Post: mandy
  Tall Lanky Blond Meg Whitman: Phishers Could Destroy Customers' Trust in eBay mandy 5 3,435 03-10-2007, 09:01 PM
Last Post: BellisimaJ.
  B.C. Ferries' security department to question eBay seller Blissmeister over logs mandy 26 11,616 11-27-2006, 09:05 PM
Last Post: blissmeister
  eBay Motors Redirect Security Hole Allows Scammers to Hijack Buyers regic 4 3,030 11-14-2006, 11:02 PM
Last Post: sneakymagenta
  On eBay, let the seller also beware: an account hijacking story mandy 0 1,995 07-03-2006, 10:42 AM
Last Post: mandy
  WHINING eBay Australia Security Chief COMPLAINS Security Community is Unfair mandy 1 2,133 05-23-2006, 06:09 PM
Last Post: dnc_ont
  Scotland has appointed its first "eBay detective" as online auction fraud soars mandy 0 1,810 05-21-2006, 10:46 AM
Last Post: mandy
  Russian Web Site Selling eBay Users Account Info for $5 per Account Shut Down mandy 3 2,789 03-26-2006, 05:18 AM
Last Post: bargainbloodhound

  • View a Printable Version
  • Send this Thread to a Friend
  • Subscribe to this thread
Forum Jump:


Users browsing this thread: 1 Guest(s)
  • Contact Us
  • TulipTools Internet Business Owners and Online Sellers Community
  • Return to Top
  • Lite (Archive) Mode
  • RSS Syndication
  • Help
Current time: 06-19-2025, 03:15 PM Powered By MyBB, © 2002-2025 MyBB Group. Theme created by Justin S.
powered by Apache

powered by Linuxpowered by CentOS

Copyright 2000-2013 TulipTools.com. All rights reserved.