2004 Security Defect in LiveWorld Forums Gave Hackers Access to eBay Users Data
|
12-22-2005, 03:28 AM,
(This post was last modified: 12-22-2005, 04:01 AM by bargainbloodhound.)
Post: #1
|
|||
|
|||
2004 Security Defect in LiveWorld Forums Gave Hackers Access to eBay Users Data
While eBay has recently been blaming its users "clicking on links" in phishing emails for a sharp rise in account hijackings this year, it has failed to mention that a (since patched) security hole in the LiveWorld forum software it uses in 2004 provided a hole through which hackers could gain access to data on users computers who logged into the eBay forums.
This vulnerability would have allowed hackers to gain access to data a user had recently submitted through their browsers-i.e. passwords, etc. Coincidentally or not, the number of account hijackings jumped right around the time during which this hole existed in 2004. from August 2004: Quote:LiveWorld Products Allow Remote Users to Conduct Cross-Site Scripting Attacks full article (includes examples of some eBay URLs which suffered from this vulnerability): http://www.securitytracker.com/alerts/20...11036.html The original proof of concept article from GulfTech Research: http://www.gulftech.org/?node=research&article_id=00044-08232004 . According to the article, both LiveWorld and eBay were slow to respond when presented with proof of the vulnerability in the LiveWorld software. Also, check out this page on GulfTech: eBay was warned in January that holes existed on its site which would allow someone to place malware in a listing and successfully use the hole to hijack an account or phish personal info: it did nothing about that warning as evidenced by the recent news stories in which hackers successfully exploited this hole. http://www.gulftech.org/?node=research&article_id=00064-01042005
"Well, Jay was so giddy that someone named Jay was involved with this site we posted our first non-eBay listing in 3 years here at Lunarbid (we tried two items at Yahoo once upon a time, they bombed)" -Marie posting in a LunarBid thread at OTWA in 2005 wins the award for 'most moronic reason ever given for choosing a venue"
"thanks twat u must have nothing better 2 do. do u talk to all your members like that. will not be recomending your site. best way to put it is TULIPTOOLS.COM IS REALLY SHIT. DONT JOIN." -pubescent owner of rinky dink off2auction.com in 2011 |
|||
12-26-2005, 05:40 PM,
Post: #2
|
|||
|
|||
User Beware: Phishing Links in Posts on eBay's LiveWorld Hosted Message Boards
During the past few days there have been several complaints from posters on the eBay message boards that phishers are putting links in posts on eBay's LiveWorld hosted message boards to fake sign-in pages on virus infested phishing sites .
Here's one example that linked to a fake ebay sign-in page on an off ebay site (which hopefully will be deleted soon. DO NOT CLICK ON THE LINK IN THE POST that is on the eBay stores board if the post is still there): http://forums.ebay.com/db2/thread.jspa?t...2000062838&tstart=0 Quote:Who knew who he is? While LiveWorld's moderators have been busy harassing people who call themselves idiots , phishers have been having a field day luring eBay users with phishing links placed directly on the eBay message boards. Is it any wonder that LiveWorld has an unsatisfactory BBB rating (as a result of an unanswered complaint we filed last year after receiving eBay Groups spam sent from the LiveWorld mail server ). |
|||
12-26-2005, 10:59 PM,
Post: #3
|
|||
|
|||
User Beware: Phishing Links in Posts on eBay's LiveWorld Hosted Message Boards
Another one on eBay stores. The only way to stop these is ban all links. The links are on eBay's boards so are they liable when someone gets their ID stolen?
Quote:Who knew who he is? http://forums.ebay.com/db2/thread.jspa?t...2000062942&tstart=0 |
|||
12-26-2005, 11:27 PM,
Post: #4
|
|||
|
|||
Re: 2004 Security Defect in LiveWorld Forums Gave Hackers Access to eBay Users Data
Quote:The only way to stop these is ban all links |
|||
12-27-2005, 02:33 AM,
Post: #5
|
|||
|
|||
Re: User Beware: Phishing Links in Posts on eBay's LiveWorld Hosted Message Boards
[quote author=dimucci link=topic=1837.msg6671#msg6671 date=1135637947]
The only way to stop these is ban all links. [/quote] Since all of the phishing links contain the word ebay they could just filter the word "ebay" :twistedevil: I'm surprised the phishers didn't think to use ebay's message boards before now...they've already used item listing pages and about me pages The posts are being deleted, but in the time before they get deleted I'm sure there are people clicking through to the phishing site and either giving away their personal info or having their computer infected. I'd like to see eBay try to blame its users for the poor security that for the 2nd time in a few weeks is responsible for phishing that is taking place directly on the pages of its sites.
"Well, Jay was so giddy that someone named Jay was involved with this site we posted our first non-eBay listing in 3 years here at Lunarbid (we tried two items at Yahoo once upon a time, they bombed)" -Marie posting in a LunarBid thread at OTWA in 2005 wins the award for 'most moronic reason ever given for choosing a venue"
"thanks twat u must have nothing better 2 do. do u talk to all your members like that. will not be recomending your site. best way to put it is TULIPTOOLS.COM IS REALLY SHIT. DONT JOIN." -pubescent owner of rinky dink off2auction.com in 2011 |
|||
12-28-2005, 12:55 AM,
Post: #6
|
|||
|
|||
Re: User Beware: Phishing Links in Posts on eBay's LiveWorld Hosted Message Boards
[quote author=bargainbloodhound link=topic=1837.msg6680#msg6680 date=1135650794]
I'm surprised the phishers didn't think to use ebay's message boards before now...they've already used item listing pages and about me pages The posts are being deleted, but in the time before they get deleted I'm sure there are people clicking through to the phishing site and either giving away their personal info or having their computer infected. [/quote] I doubt if this is the first time they've fished from there. |
|||
12-28-2005, 06:59 PM,
Post: #7
|
|||
|
|||
eBay Users Accounts Hijacked As A Result of Phishing Links On LiveWorld Boards
more reports of account hijackings caused by users following the many (many, many, many) phishing links that exist directly on the "safe" eBay US and UK sites.
http://forums.ebay.com/db2/thread.jspa?t...1000172123&tstart=0 http://forums.ebay.com/db1/thread.jspa?t...1000173452&tstart=0 My favorite quotes: Quote:i reported 100 threads last night. and Quote:BOARD IDs were hijacked???
"Well, Jay was so giddy that someone named Jay was involved with this site we posted our first non-eBay listing in 3 years here at Lunarbid (we tried two items at Yahoo once upon a time, they bombed)" -Marie posting in a LunarBid thread at OTWA in 2005 wins the award for 'most moronic reason ever given for choosing a venue"
"thanks twat u must have nothing better 2 do. do u talk to all your members like that. will not be recomending your site. best way to put it is TULIPTOOLS.COM IS REALLY SHIT. DONT JOIN." -pubescent owner of rinky dink off2auction.com in 2011 |
|||
« Next Oldest | Next Newest »
|
Users browsing this thread: 2 Guest(s)