2004 Security Defect in LiveWorld Forums Gave Hackers Access to eBay Users Data

[bargainbloodhound]

While eBay has recently been blaming its users "clicking on links" in phishing emails for a sharp rise in account hijackings this year, it has failed to mention that a (since patched) security hole in the LiveWorld forum software it uses in 2004 provided a hole through which hackers could gain access to data on users computers who logged into the eBay forums.

This vulnerability would have allowed hackers to gain access to data a user had recently submitted through their browsers-i.e. passwords, etc.

Coincidentally or not, the number of account hijackings jumped right around the time during which this hole existed in 2004.

from August 2004:

LiveWorld Products Allow Remote Users to Conduct Cross-Site Scripting Attacks

GulfTech Security Research Team reported that LiveForum, LiveQ&A, LiveChat, and LiveFocusGroup (and possibly other products) do not properly validate user-supplied input before displaying the information. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the LiveWorld software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Impact:  A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the LiveWorld software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

full article (includes examples of some eBay URLs which suffered from this vulnerability): http://www.securitytracker.com/alerts/20...11036.html

The original proof of concept article from GulfTech Research: http://www.gulftech.org/?node=research&article_id=00044-08232004 .  According to the article, both LiveWorld and eBay were slow to respond when presented with proof of the vulnerability in the LiveWorld software.

Also, check out this page on GulfTech:  eBay was warned in January that holes existed on its site which would allow someone to place malware in a listing and successfully use the hole to hijack an account or phish personal info:  it did nothing about that warning as evidenced by the recent news stories in which hackers successfully exploited this hole.

http://www.gulftech.org/?node=research&article_id=00064-01042005

[amy]

During the past few days there have been several complaints from posters on the eBay message boards that phishers are putting links in posts on eBay's LiveWorld hosted message boards to fake sign-in pages on virus infested phishing sites .

Here's one example that linked to a fake ebay sign-in page on an off ebay site (which hopefully will be deleted soon.  DO NOT CLICK ON THE LINK IN THE POST that is on the eBay stores board if the post is still there):

http://forums.ebay.com/db2/thread.jspa?t...2000062838&tstart=0

Who knew who he is?
merlaynia2  (111 ) View Listings | Report Dec-26-05 08:50 PST
http://[Domain Removed]/ebya/eBayISAPI.dllSignIn&co_partnerId=2&pUserId=&siteid=3&pageType=&pa1=&i1=&bshowgi/say.asp

While LiveWorld's moderators have been busy harassing people who call themselves idiots  , phishers have been having a field day luring eBay users with phishing links placed directly on the eBay message boards. Is it any wonder that LiveWorld has an unsatisfactory BBB rating (as a result of an unanswered complaint we filed last year after receiving eBay Groups spam sent from the LiveWorld mail server  ).

[dimucci]

Another one on eBay stores.  The only way to stop these is ban all links.  The links are on eBay's boards so are they liable when someone gets their ID stolen? 

Who knew who he is?
der-einkaufsladen  (0 ) View Listings | Report Dec-26-05 14:42 PST
http://xxxxxxx/ebya/eBayISAPI.dllSignIn&co_partnerId=2&pUserId=&siteid=3&pageType=&pa1=&i1=&bshowgi/say.asp

http://forums.ebay.com/db2/thread.jspa?t...2000062942&tstart=0

[rose]

The only way to stop these is ban all links

[bargainbloodhound]

[quote author=dimucci link=topic=1837.msg6671#msg6671 date=1135637947]
The only way to stop these is ban all links.  [/quote]

Since all of the phishing links contain the word ebay they could just filter the word "ebay"  :twistedevil:

I'm surprised the phishers didn't think to use ebay's message boards before now...they've already used item listing pages and about me pages  The posts are being deleted, but in the time before they get deleted I'm sure there are people clicking through to the phishing site and either giving away their personal info or having their computer infected.

I'd like to see eBay try to blame its users for the poor security that for the 2nd time in a few weeks is responsible for phishing that is taking place directly on the pages of its sites.

[rose]

[quote author=bargainbloodhound link=topic=1837.msg6680#msg6680 date=1135650794]

I'm surprised the phishers didn't think to use ebay's message boards before now...they've already used item listing pages and about me pages  The posts are being deleted, but in the time before they get deleted I'm sure there are people clicking through to the phishing site and either giving away their personal info or having their computer infected.
[/quote]

I doubt if this is the first time they've fished from there.

[bargainbloodhound]

more reports of account hijackings caused by users following the many (many, many, many) phishing links that exist directly  on the "safe" eBay US and UK sites.

http://forums.ebay.com/db2/thread.jspa?t...1000172123&tstart=0
http://forums.ebay.com/db1/thread.jspa?t...1000173452&tstart=0

My favorite quotes:

i reported 100 threads last night.

and

BOARD IDs were hijacked???

*gulp*..