eBay Knew For 1 Yr.That Security Holes On Its Site Could Lead to Account Hijacks

[dnc_ont]

Corporate bureaucracy is to blame for their not fixing the software.  The programming guys probably need approval from 50 supervisors just to take a piss.  laughing7

Hmm, well that could explain all the outages and screwups on eBay..

I mean, if they're sneaking back behind a rack of servers and hanging a quick leak on the sly, well, you know us guys, terrible aim and all, they're shorting the damn things out.

[xppman]

Hmm, well that could explain all the outages and screwups on eBay..

I mean, if they're sneaking back behind a rack of servers and hanging a quick leak on the sly, well, you know us guys, terrible aim and all, they're shorting the damn things out.

What's real funny (but pathetic at the same time) is that they
treat their employees they pay at ebay HQ 
just like they treat their employees that pay them. The feebay sellers.

Like little children.

[rose]

[quote author=bargainbloodhound link=topic=1668.msg6424#msg6424 date=1135222936]
eBay shares equal blame for account hijackings because it knew about and ignored warnings that a security hole existed on its site through which a user could place malicious code in a listing on the ebay site or on an about me page that would redirect them from the eBay site to an off ebay phishing site.

Almost 1 year after this vulnerability was pointed out to eBay, hackers did in fact take advantage of this hole in December 2005 to phish users on the ebay site .

The GulfTech warning and article below were issued in January 2005...eBay did nothing despite the warnings.

The full article: http://www.gulftech.org/?node=research&article_id=00064-01042005

[/quote]

They deserve full blame if they didn't fix a known problem.  Bunch of s

[mandy]

One month later, eBay has yet to fix the security hole that allows phishers to put malicious javascript in listings.

from today's issue of Auctionbites (an eBay-orientated email newsletter that rehashes press releases and provides friendly editorial coverage to advertisers):

An eBay auction for a Rolls-Royce Phantom contained a Java Applet designed to install malicious code on viewer's computers. The auction was listed on eBay.com by a seller located in the UK on December 28, 2005...A hit counter showed the auction had been viewed nearly 3,000 times before the auction was removed Monday

full article: http://auctionbytes.com/cab/abn/y06/m01/i03/s01

[rose]

[quote author=mandy link=topic=1668.msg7027#msg7027 date=1136295605]
One month later, eBay has yet to fix the security hole that allows phishers to put malicious javascript in listings.

An eBay auction for a Rolls-Royce Phantom contained a Java Applet designed to install malicious code on viewer's computers. The auction was listed on eBay.com by a seller located in the UK on December 28, 2005...A hit counter showed the auction had been viewed nearly 3,000 times before the auction was removed Monday

full article: http://auctionbytes.com/cab/abn/y06/m01/i03/s01
[/quote]

Amazing.  Why didn't they just say no to java scripts after the incident last month?

[mandy]

1 1/2 years after eBay was warned about this security flaw on its web site it has yet to fix the problem.  More reports of phishers placing malware directly on eBay listing pages:

Phishers set hidden traps on eBay

Click on an eBay auction listing, and you could get an unwanted result: a fake eBay login page, created by scammers looking to pilfer your username and password...

Cybercrooks typically use spam e-mail to lure people to their Web traps. But on eBay, they also take advantage of the auction listings on the site itself.

Some of the scams run on the auction Web site are almost invisible to the untrained eye. eBay lets sellers customize their auction pages using Web programming techniques and automated tools. However, attackers are abusing this freedom to build auction pages that include a rigged listing. When potential customers click on the link, it sends them to a phishing site.

eBay is aware of such abuse of its service for trickery by cybercrooks, Catherine England, an eBay spokeswoman, said Friday.

"Our sellers really use the dynamic content aspect of our listings," she said. "The benefits overwhelmingly outweigh the red skin that we have gotten." ...

full article: http://news.com.com/Phishers+set+hidden+...56687.html

[bargainbloodhound]

eBay is aware of such abuse of its service for trickery by cybercrooks, Catherine England, an eBay spokeswoman, said Friday.

"Our sellers really use the dynamic content aspect of our listings," she said. "The benefits overwhelmingly outweigh the red skin that we have gotten." ...

Try telling people who have had their identities/personal data stolen that allowing sellers to have scrolling galleries and other javascript-driven tools in auction listings outweighs the identity theft that has taken place as a result of eBay's refusal to fix this problem...I don't think many of the people who have been victimized as a result of this problem would agree with England that the benefits outweigh the negatives.  mileyazwipe:

[mandy]

Using the eBay web site may leave you at the risk of having your personal information stolen.  US-CERT (run by the US Dept. of Homeland Security) issued an advisory on April 3rd warning that the eBay web site contains a cross site scripting vulnerability.

Vulnerability Note VU#808921
eBay contains a cross-site scripting vulnerability

Overview
The eBay web site contains a cross-site scripting vulnerability.

I. Description
eBay is a popular auction web site. When an eBay user posts an auction, eBay allows SCRIPT tags to be included in the auction description. This creates a cross-site scripting vulnerability in the eBay website. More information about cross-site scripting is available in CERT Advisory CA-2000-02.
II. Impact

An attacker may be able to obtain sensitive data from the eBay web site. As of the publication of this document, attackers are using this vulnerability to redirect auction viewers to phishing sites. More severe impacts may be possible, including disclosure of passwords, credit card numbers, or other personal information. Likewise, information stored in cookies could be stolen or corrupted.

the full security advisory: http://www.kb.cert.org/vuls/id/808921

related topic:
eBay Knew For 1 Yr.That Security Holes On Its Site Could Lead to Account Hijacks
http://community.tuliptools.com/index.ph...668.0.html

[regic]

  US-CERT (run by the US Dept. of Homeland Security) issued an advisory on April 3rd warning that the eBay web site contains a cross site scripting vulnerability.

eBay's spokesperson said the benefits of not fixing the problem outweigh the security risks? I hope she said that on April Fool's Day intending it to be a joke. 

[jezebel]

Companies need to be fined heavily when they refuse to fix security problems.  :