Options
OMG-ebay warning, first ive seen
pontiacinf
Posts: 8,915 ✭✭
I just got bored so I started crusing ebay coins, didnt even make it to the nickels page, as the main page had a listing 1 post down that had a porno pic of one doing something to another, and when I clicked on the auction, it showed the auction page for 10 seconds and without clicking anything it went to a sign in page, where you had to sign in to bid on what appeared to be nothing, and the url was not https:// so if one signed in, there goes you info. The post was active for a total of 2 mins, its now gone.
Just be careful
Just be careful
Go BIG or GO HOME. ©Bill
0
Comments
consider a luser attack in the hacking world. a way to trick people
into giving out info or making a webpage look "funky" to embarass
someone. major websites have programmers who are too lazy to
code properly so these things do not happen. but time and time
again these programmers fail to do their job properly on big name
websites.
what is more fun is rooting ebay's machines and having total control
over them :-) interview with someone who owned ebay's boxen.... the above link to me, is considered hacking
while cross site scripting is just lame.
---------
A PC World reader alerted me to a flaw on eBay's Web site that enabled a scam designed to trick people into handing over their personal information. eBay promptly patched the flaw last week, but experts I spoke with are wondering how long the fix will hold.
The flaw allowed a scammer to use an increasingly common type of attack called cross-site scripting, or XSS, to redirect people from an eBay listing to a spoofed eBay site. Though eBay may have plugged the hole for now, experts say, similar problems have surfaced in the past on eBay and other sites, and it's a safe bet they will again. The problem is not going away, and it will continue to cause visitors to eBay and other sites trouble for the foreseeable future.
How It Worked
On a tip from a PC World reader, I reviewed the scam before eBay canceled the auction that it keyed to. Once potential victims were taken to the fake, or spoofed, eBay site, anyone interested in the item in the auction--a 1961 Volkswagen Microbus--was encouraged to e-mail the scammer directly at 4naffairs@yahoo.com to proceed with the sale.
According to security experts, such attacks are a very common and effective way of tricking Internet users into visiting fake sites.
"Any site that accepts user-generated content has likely had to patch their site for this flaw," says Bill Pennington, vice president of services at WhiteHat Security. Pennington says his company finds nearly 600 instances of cross-site scripting flaws on the Web every day.
Can the Vulnerability Be Fixed?
For eBay's part, it says that it constantly monitors its site for security problems and corrects them as quickly as they are found. "As soon as we became aware of this scheme, we changed some of the code on our site. So this scheme, and ones like it, can no longer be effective," says Nichola Sharpe, an eBay spokesperson.
And eBay is far from alone when it comes to being a target of this type of attack. Similar attacks on major sites like Amazon.com, MySpace.com, Verisign, and even the United States National Security Agency's Web site have been documented.
Security experts say cross-site scripting is part of doing business on the Internet. "There is no one fix [for Web sites] to solve this problem," says Ken Dunham, security expert with VeriSign iDefense Security Intelligence Service. He says finding and patching cross-scripting flaws is like a game of Whack-A-Mole, with new flaws popping up all the time.
In the example found on eBay, the cross-site scripting exploit first inserted malicious JavaScript code into the auction listing description. Next, when users visited the rigged eBay auction, the JavaScript directed the users' Internet Explorer or Firefox browser to instantaneously forward the users to a spoofed Web page that looked exactly like an eBay auction page.
eBay says it now prevents JavaScript on its site from forwarding visitors to third-party sites automatically. However, experts say, hackers can easily modify JavaScript code to once again trigger the same behavior.
I was already logged in, so I didnt log in again, but i wouldnt have anyway due to no https:// in the url
Go BIG or GO HOME. ©Bill
Linky
Go BIG or GO HOME. ©Bill