eBay Knew For 1 Yr.That Security Holes On Its Site Could Lead to Account Hijacks

[Kristijntje]

Scammers have found a new way to try to trick eBay members into giving them their personal information.

The new technique effectively hijacks links on listing or search results pages, taking people to an official-looking eBay log-in page that is actually phony.

In one example the Mercury News viewed this week, several listings were added to eBay's ``Totally bizarre'' category, a section intended for offbeat items, with the title ``Movie!With me and Laura!My best friend!Sexy show!1$''

When eBay users clicked on the listing titles, their Web browser was immediately redirected to the fraudulent log-in page. Making matters worse, the phony page appears to download a virus onto users' computers.

...EBay said the people behind the scam appeared to have added malicious JavaScript code to their listings...

full article: http://www.miami.com/mld/mercurynews/business/13376864.htm?source=rss&channel=mercurynews_business

[bargainbloodhound]

Well this is one case where it is definitely not safe to shop or even browse on the "safe" eBay site. 

I think eBay should bear part of the financial burden and compensate anyone who has had their info stolen as a result of this phish because it was their lax security that allowed it to happen.

*putting on my web site owner's hat and taking off my seller's hat before this next sentence*    Allowing anyone to place javascript in their listings or in anything else that they place/upload on your site is a fr_ck'n security problem waiting to happen...and it looks like eBay's bad judgement has allowed it to happen.

[regic]

EBay has tools that automatically scan new listings for computer viruses and malicious JavaScript, spokesman Hani Durzy said. In this instance, the hacker apparently used code that sneaked past the screening process.

Your scanner doesn't work, time to find a new programmer

http://jobsearch.monster.com/jobsearch.asp?q=programmer&fn=&lid=&re=104&cy=us&x=0&y=0

[xppman]

I say the more the BETTER.

F2#%@K ebay.
Wonder how many of these problems are from folks who had their PP accounts FROZEN or were suspended without due process from the bay.

You GO hackers. 

[catholicemporium]

[quote author=regic link=topic=1668.msg5911#msg5911 date=1134253794]

EBay has tools that automatically scan new listings for computer viruses and malicious JavaScript, spokesman Hani Durzy said. In this instance, the hacker apparently used code that sneaked past the screening process.

Your scanner doesn't work, time to find a new programmer

http://jobsearch.monster.com/jobsearch.asp?q=programmer&fn=&lid=&re=104&cy=us&x=0&y=0


[/quote]

Anything that comes out of Hani Durzy's mouth is nothing but spin.  I have made this comparison before, and I will re-iterate it:  Hani Durzy is just like Baghdad Bob (was that his name?).  The Iraqi official who insisted the Americans weren't anywhere near Baghdad while the tanks rolled by.

[dimucci]

Hani b.s.ing in a past life http://www.revenews.com/advice/news/060200a.html

[xppman]

Anything that comes out of Hani Durzy's mouth is nothing but spin.

Look up Hani Durzy.
You will see the

[bargainbloodhound]

eBay's recent attempt to blame lax computer security habits of its users for a sharp rise in account hijackings are a bunch of B.S.  eBay shares equal blame for account hijackings because it knew about and ignored warnings that a security hole existed on its site through which a user could place malicious code in a listing on the ebay site or on an about me page that would redirect them from the eBay site to an off ebay phishing site.

Almost 1 year after this vulnerability was pointed out to eBay, hackers did in fact take advantage of this hole in December 2005 to phish users on the ebay site .

The GulfTech warning and article below were issued in January 2005...eBay did nothing despite the warnings.

Last year GulfTech Security Research found several security flaws in eBay and the eBay owned half.com. These security flaws could allow attackers to execute malicious code in the context of a victim's browser, and could easily be used to hijack accounts, and in phishing, and other scams. Unfortunately only some of those security flaws were fixed, and the most dangerous of the bunch still remain even after being made public. Additionally, GulfTech Security Research found similar security vulnerabilities in the well known amazon.com website. Like eBay, the amazon.com vulnerabilities still exist.


Should I Be Worried?
If you make use of eBay or amazon.com you could be put at risk simply by visiting a link, or viewing a malicious web page. The eBay vulnerability is an especially nasty one because all an attacker has to do in order to acquire victims is place an auction or fill out their "about me" page with malicious data. Once the malicious auction is placed a victim's cookie based credentials can be stolen silently, and even worse an attacker can hijack certain Document Object Model elements and cause anyone who clicks on the "place bid" button to be redirected to a bogus login page or worse. Below is an example "about me" page put together by us that will demonstrate how this vulnerability could be used for phishing.

The full article: http://www.gulftech.org/?node=research&article_id=00064-01042005

Based on the fact that eBay knew about this security vulnerability for almost a year and did nothing, I think they would have a hard time defending themselves in court if anyone who was victimized (had their personal info stolen or account hijacked) decided to sue them.

[jezebel]

Corporate bureaucracy is to blame for their not fixing the software.  The programming guys probably need approval from 50 supervisors just to take a piss. 

[mandy]

Should I Be Worried?
If you make use of eBay or amazon.com you could be put at risk simply by visiting a link, or viewing a malicious web page. The eBay vulnerability is an especially nasty one because all an attacker has to do in order to acquire victims is place an auction or fill out their "about me" page with malicious data. Once the malicious auction is placed a victim's cookie based credentials can be stolen silently, and even worse an attacker can hijack certain Document Object Model elements and cause anyone who clicks on the "place bid" button to be redirected to a bogus login page or worse. Below is an example "about me" page put together by us that will demonstrate how this vulnerability could be used for phishing.

I would be worried if I was a member of the site.