Home
Home

Directory
Directory

Articles
Internet News
Security News
Ecommerce News
Domain News

Site Tools
Site Speed Test
Keyword Research
Resolve Hostname
DNS Tools
Register Domains
Affiliate Programs
Open Source

Shopping Carts
Cart Reviews
SSL Certificates

Enter your email address to subscribe to our updates:

Delivered by FeedBurner


Venue Charts
Channel Traffic Rankings
OAI Stock Quotes and Charts
eBay's Worst Feedback

Forum
Forum Home
TulipTools News
Advertising
Blogging
Computer Hardware
Domain Names
Ecommerce
Financing
Int'l Trading
Graphics and HTML
Internet Access
Legal Issues
Internet Business
Auction Sites
Classified Ad Sites
Fixed Price Venues
Operating Systems
Programming
Search Engines
Internet Security
Software
Web Hosting
Webmaster Issues
Reviews
Announcements
Off Topic Discussion

Web Hosting
TulipHosting

Domain Names
TulipDomains

Web Stats
TulipStats

Forum Rules
Forum Rules
Privacy Policy

Site Map
Forum Sitemap
Sitemap Topics




Directory| Forums| Internet News|Cart Reviews| DNS Tools| Keyword Research| Site Speed Test| Security| | Domain Marketplace| Domain Blog
TulipTools Internet Business Owners and Online Sellers Community
  • Home
  • Search
  • Member List
  • Calendar
Hello There, Guest! Login Register
TulipTools Internet Business Owners and Online Sellers Community › Online Auction Industry, B2B Trading Sites, Classified Ad Sites, Fixed Price Venues, and Malls › Online Auction Industry Discussion › Auction Sites › eBay › Frauds, Scams, and Rip Offs v
« Previous 1 … 10 11 12 13 14 Next »

2004 Security Defect in LiveWorld Forums Gave Hackers Access to eBay Users Data

  
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Threaded Mode | Linear Mode
2004 Security Defect in LiveWorld Forums Gave Hackers Access to eBay Users Data
12-22-2005, 03:28 AM, (This post was last modified: 12-22-2005, 04:01 AM by bargainbloodhound.)
Post: #1
bargainbloodhound Offline
Lawnmower Mouth
********
Posts: 4,372
Likes Given: 0
Likes Received: 4 in 4 posts
Joined: Jul 2005
Reputation: 0
2004 Security Defect in LiveWorld Forums Gave Hackers Access to eBay Users Data
While eBay has recently been blaming its users "clicking on links" in phishing emails for a sharp rise in account hijackings this year, it has failed to mention that a (since patched) security hole in the LiveWorld forum software it uses in 2004 provided a hole through which hackers could gain access to data on users computers who logged into the eBay forums.

This vulnerability would have allowed hackers to gain access to data a user had recently submitted through their browsers-i.e. passwords, etc.

Coincidentally or not, the number of account hijackings jumped right around the time during which this hole existed in 2004.

from August 2004:


Quote:LiveWorld Products Allow Remote Users to Conduct Cross-Site Scripting Attacks

GulfTech Security Research Team reported that LiveForum, LiveQ&A, LiveChat, and LiveFocusGroup (and possibly other products) do not properly validate user-supplied input before displaying the information. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the LiveWorld software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Impact:  A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the LiveWorld software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

full article (includes examples of some eBay URLs which suffered from this vulnerability): http://www.securitytracker.com/alerts/20...11036.html

The original proof of concept article from GulfTech Research: http://www.gulftech.org/?node=research&article_id=00044-08232004 .  According to the article, both LiveWorld and eBay were slow to respond when presented with proof of the vulnerability in the LiveWorld software.

Also, check out this page on GulfTech:  eBay was warned in January that holes existed on its site which would allow someone to place malware in a listing and successfully use the hole to hijack an account or phish personal info:  it did nothing about that warning as evidenced by the recent news stories in which hackers successfully exploited this hole.

http://www.gulftech.org/?node=research&article_id=00064-01042005

"Well, Jay was so giddy that someone named Jay was involved with this site we posted our first non-eBay listing in 3 years here at Lunarbid (we tried two items at Yahoo once upon a time, they bombed)" -Marie posting in a LunarBid thread at OTWA in 2005 wins the award for 'most moronic reason ever given for choosing a venue"

"thanks twat u must have nothing better 2 do. do u talk to all your members like that. will not be recomending your site.
best way to put it is TULIPTOOLS.COM IS REALLY SHIT. DONT JOIN." -pubescent owner of rinky dink off2auction.com in 2011
Like Post Reply
[+]
12-26-2005, 05:40 PM,
Post: #2
amy Offline
Super Moderator
******
Posts: 3,473
Likes Given: 0
Likes Received: 1 in 1 posts
Joined: Mar 2005
Reputation: 0
User Beware: Phishing Links in Posts on eBay's LiveWorld Hosted Message Boards
During the past few days there have been several complaints from posters on the eBay message boards that phishers are putting links in posts on eBay's LiveWorld hosted message boards to fake sign-in pages on virus infested phishing sites .

Here's one example that linked to a fake ebay sign-in page on an off ebay site (which hopefully will be deleted soon.  DO NOT CLICK ON THE LINK IN THE POST that is on the eBay stores board if the post is still there):

http://forums.ebay.com/db2/thread.jspa?t...2000062838&tstart=0
Quote:Who knew who he is?
merlaynia2  (111 ) View Listings | Report Dec-26-05 08:50 PST
http://[Domain Removed]/ebya/eBayISAPI.dllSignIn&co_partnerId=2&pUserId=&siteid=3&pageType=&pa1=&i1=&bshowgi/say.asp

While LiveWorld's moderators have been busy harassing people who call themselves idiots  Laughing7 , phishers have been having a field day luring eBay users with phishing links placed directly on the eBay message boards. Is it any wonder that LiveWorld has an unsatisfactory BBB rating (as a result of an unanswered complaint we filed last year after receiving eBay Groups spam sent from the LiveWorld mail server  Wink ).
Blog
Like Post Reply
[+]
12-26-2005, 10:59 PM,
Post: #3
dimucci Offline
Full Member
****
Posts: 138
Likes Given: 0
Likes Received: 0 in 0 posts
Joined: Jul 2005
Reputation: 0
User Beware: Phishing Links in Posts on eBay's LiveWorld Hosted Message Boards
Another one on eBay stores.  The only way to stop these is ban all links.  The links are on eBay's boards so are they liable when someone gets their ID stolen? 

Quote:Who knew who he is?
der-einkaufsladen  (0 ) View Listings | Report Dec-26-05 14:42 PST
http://xxxxxxx/ebya/eBayISAPI.dllSignIn&co_partnerId=2&pUserId=&siteid=3&pageType=&pa1=&i1=&bshowgi/say.asp

http://forums.ebay.com/db2/thread.jspa?t...2000062942&tstart=0
Like Post Reply
[+]
12-26-2005, 11:27 PM,
Post: #4
rose Offline
Big Member
*****
Posts: 465
Likes Given: 0
Likes Received: 0 in 0 posts
Joined: Jul 2005
Reputation: 0
Re: 2004 Security Defect in LiveWorld Forums Gave Hackers Access to eBay Users Data
Quote:The only way to stop these is ban all links

Signs064
http://www.gentoo.org/
Like Post Reply
[+]
12-27-2005, 02:33 AM,
Post: #5
bargainbloodhound Offline
Lawnmower Mouth
********
Posts: 4,372
Likes Given: 0
Likes Received: 4 in 4 posts
Joined: Jul 2005
Reputation: 0
Re: User Beware: Phishing Links in Posts on eBay's LiveWorld Hosted Message Boards
[quote author=dimucci link=topic=1837.msg6671#msg6671 date=1135637947]
The only way to stop these is ban all links.  [/quote]

Since all of the phishing links contain the word ebay they could just filter the word "ebay"  Angel1 :twistedevil:

I'm surprised the phishers didn't think to use ebay's message boards before now...they've already used item listing pages and about me pages  The posts are being deleted, but in the time before they get deleted I'm sure there are people clicking through to the phishing site and either giving away their personal info or having their computer infected.

I'd like to see eBay try to blame its users for the poor security that for the 2nd time in a few weeks is responsible for phishing that is taking place directly on the pages of its sites.
"Well, Jay was so giddy that someone named Jay was involved with this site we posted our first non-eBay listing in 3 years here at Lunarbid (we tried two items at Yahoo once upon a time, they bombed)" -Marie posting in a LunarBid thread at OTWA in 2005 wins the award for 'most moronic reason ever given for choosing a venue"

"thanks twat u must have nothing better 2 do. do u talk to all your members like that. will not be recomending your site.
best way to put it is TULIPTOOLS.COM IS REALLY SHIT. DONT JOIN." -pubescent owner of rinky dink off2auction.com in 2011
Like Post Reply
[+]
12-28-2005, 12:55 AM,
Post: #6
rose Offline
Big Member
*****
Posts: 465
Likes Given: 0
Likes Received: 0 in 0 posts
Joined: Jul 2005
Reputation: 0
Re: User Beware: Phishing Links in Posts on eBay's LiveWorld Hosted Message Boards
[quote author=bargainbloodhound link=topic=1837.msg6680#msg6680 date=1135650794]

I'm surprised the phishers didn't think to use ebay's message boards before now...they've already used item listing pages and about me pages  The posts are being deleted, but in the time before they get deleted I'm sure there are people clicking through to the phishing site and either giving away their personal info or having their computer infected.
[/quote]

I doubt if this is the first time they've fished from there.

http://www.gentoo.org/
Like Post Reply
[+]
12-28-2005, 06:59 PM,
Post: #7
bargainbloodhound Offline
Lawnmower Mouth
********
Posts: 4,372
Likes Given: 0
Likes Received: 4 in 4 posts
Joined: Jul 2005
Reputation: 0
eBay Users Accounts Hijacked As A Result of Phishing Links On LiveWorld Boards
more reports of account hijackings caused by users following the many (many, many, many) phishing links that exist directly  on the "safe" eBay US and UK sites.

http://forums.ebay.com/db2/thread.jspa?t...1000172123&tstart=0
http://forums.ebay.com/db1/thread.jspa?t...1000173452&tstart=0

My favorite quotes:

Quote:i reported 100 threads last night.

Dazed012

and

Quote:BOARD IDs were hijacked???

*gulp*..

Dazed012
"Well, Jay was so giddy that someone named Jay was involved with this site we posted our first non-eBay listing in 3 years here at Lunarbid (we tried two items at Yahoo once upon a time, they bombed)" -Marie posting in a LunarBid thread at OTWA in 2005 wins the award for 'most moronic reason ever given for choosing a venue"

"thanks twat u must have nothing better 2 do. do u talk to all your members like that. will not be recomending your site.
best way to put it is TULIPTOOLS.COM IS REALLY SHIT. DONT JOIN." -pubescent owner of rinky dink off2auction.com in 2011
Like Post Reply
[+]
« Next Oldest | Next Newest »




Possibly Related Threads…
Thread Author Replies Views Last Post
  eBay Knew For 1 Yr.That Security Holes On Its Site Could Lead to Account Hijacks Kristijntje 23 11,150 03-13-2008, 12:15 PM
Last Post: mandy
  eBay's security problems: Vladuz and account hijackings via redirect page on eBay mandy 26 9,133 03-15-2007, 08:56 AM
Last Post: mandy
  Data breach at eBay vendor Prosperpoint mandy 0 1,403 02-18-2007, 09:57 AM
Last Post: mandy
  Tool allows scammers to use back door to access ALL of an eBay user's info mandy 3 2,451 12-27-2006, 08:11 PM
Last Post: WebGraphicsSource
  B.C. Ferries' security department to question eBay seller Blissmeister over logs mandy 26 9,786 11-27-2006, 09:05 PM
Last Post: blissmeister
  eBay Motors Redirect Security Hole Allows Scammers to Hijack Buyers regic 4 2,573 11-14-2006, 11:02 PM
Last Post: sneakymagenta
  Most Used Smart Phones and PDAs Sold on eBay Contain Sensitive Personal Data mandy 0 1,493 08-31-2006, 08:35 AM
Last Post: mandy
  WHINING eBay Australia Security Chief COMPLAINS Security Community is Unfair mandy 1 1,814 05-23-2006, 06:09 PM
Last Post: dnc_ont
  Exploding the Myth That eBay Is A Safe Marketplace: eBay Puts Users At Risk Kristijntje 2 2,360 12-24-2005, 05:09 PM
Last Post: xppman

  • View a Printable Version
  • Send this Thread to a Friend
  • Subscribe to this thread
Forum Jump:


Users browsing this thread: 1 Guest(s)
  • Contact Us
  • TulipTools Internet Business Owners and Online Sellers Community
  • Return to Top
  • Lite (Archive) Mode
  • RSS Syndication
  • Help
Current time: 03-23-2023, 02:57 PM Powered By MyBB, © 2002-2023 MyBB Group. Theme created by Justin S.
powered by Apache

powered by Linuxpowered by CentOS

Copyright 2000-2013 TulipTools.com. All rights reserved.