Security hole on eBay
March 13th, 2008 by estreet

Ina Steiner of AuctionBytes.com writes an excellent piece about a huge security hole on eBay. In the article, a German watchdog group reports that criminals in Romania are exploiting a weakness within eBay listings to direct eBayers to a spoof site. When an eBayer views a malicious listing, the criminals retrieve the user’s email address, eBay user name, partial credit card info and watched item list.

Once they get this information, what do they do with it? I can see two ways to defraud victims:

1. The malicious listing includes links to a spoof eBay site. The user is prompted to log into a fake eBay page which supplies the criminals with the eBay username and password.

Now they can hijack the user’s account. They change the password, list lots of 1 day listings for Western Union or cash payment only, collect the money and run.

2. Once the exploiters know which items the eBayer is watching, they send fake Second Chance Offers for those items. Victims are lead to spoof sites or instructed to pay with Western Union or cash. Again, they run away with the money.

How do they do it? Using Javascript, you can send any information contained in a webpage to another site. The normal usage of Javascript in listings is to embed objects such as flash. Think of Auctiva’s showcase. They legitimately embed your Auctiva account info into your listings and send it to their server at load time so they can properly display your showcase content. I don’t know how, but the article clearly shows that there is a way to obtain an eBayer’s personal information from an eBay listing.

I assess that this is a complex operation that involves expert technical knowledge, money laundering and coordination of people. The technical expertise is not in the scripting, but how to not get caught. They have to design a system that keeps them untraceable or moves their IP addresses every few hours.

Why don’t people who are this intelligent just create a legitimate business? I suppose the governments and business climate in Eastern Europe and Africa don’t support small businesses and financial success. Or perhaps they do support small businesses that specialize in international crime. {Shrug} In either case, you have some super smart people creating opportunities for themselves.

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Twitter

2 Responses  
Jake writes:
March 13th, 2008 at 4:56 pm

Thanks for this. I’d heard about this (or something similar) a couple years ago. As soon as a victim clicks a result in an eBay search results listing, instead of being taken right to the listing, they are asked for an eBay login – on a spoof site. Sounds like this is similar – Javascript in the listing doing nasty stuff.

Ya know, when I once tried putting benign Statcounter javascript code in a listing once, it was declined by eBay (I got an error msg and couldn’t save the listing), so I figured that eBay was smart enough to filter out javascript that it didn’t like. Maybe not.

estreet writes:
March 13th, 2008 at 5:25 pm

I hope eBay finds a way to disable this specific security problem without getting any tougher on the Javascript embedded in listings. It’s pretty useful for solutions providers.

I’ve spent a lot of time on my own site protecting against malicious activity. That’s time that could have been spent on features.



»  Substance: WordPress   »  Style: Ahren Ahimsa