A software tool created by a Romanian hacker who gained notoriety for his recent antics on eBay remains online. The eBayCaptcha Populator is an add-on for Mozilla's Firefox browser designed to defeat eBay's captcha security device and was posted by "Vladuz" on the Mozilla site. Captchas require a human to read a graphic and type it in to the computer, thereby defeating automated programs that attempt to hijack accounts using dictionary attacks. Vladuz' tool claims to get around eBay's captcha defense.

Whether Vladuz' program was designed to work - or was possibly created as a device to defraud those who would use it - isn't known. But what may be perplexing is why Mozilla would find it an acceptable tool to leave on its site.

eBay spokesperson Catherine England said tools like eBayCaptcha Populator are not new and are not uncommon. "Companies have a variety of ways to fight them on the back end, including IP address information and a few other things we don't talk about," she said.

The tool is listed on Mozilla's page of add-ons (https://addons.mozilla.org/mozilla/4381). The Mozilla project is an open-source community of developers and testers and is the producer and provider of the Firefox web browser. In response to an inquiry, we received back a statement from Mike Shaver, Director of Ecosystem Development for Mozilla:

We have reviewed the add-on in question, and do not believe that it poses a risk to the user's security, as it doesn't transmit any data other than the "captcha token" to the service's web site. (Captchas are not a security measure that is meant to affect human users at a browser, so the process by which the form entry is filled should not affect the site's security - this add-on is roughly equivalent to asking someone to come to your computer and tell you what the captcha image says. The existence of this add-on does not affect whether the captcha system is subject to mechanical decoding, it simply seems to take advantage of the fact that this specific system is in order to simplify the login process for users of the site.) Ultimately, the user is in control of their browser and web experience, and the choice to streamline a login process is left in their hands. We caution all users to be careful when installing software, whether from our site or any other, of course.

Vladuz posted the add-on to Mozilla's site in January, and visitors to the page left comments expressing concern over the tool. One pointed out that the add-on required users to register at a Romanian website. The description for the captcha defeater includes a note, "after extension is installed, you must register at http://tokens.b0x.ro/ and get a unique key which you have to enter into Tools > Extensions > eBayCaptcha Populator - Options."

Vladuz has been taunting eBay after gaining access to a handful of number of customer service representatives' email accounts. Bloggers have expressed concern that Vladuz has done more and actually accessed eBay's system in some way.

eBay's England said, "Vladuz is very clearly boastful about a lot of things and hasn't compromised eBay's back-end tools. Claims are being made that are untruthful. Vladuz is a hacker and a career criminal and is using eBay to gain notoriety. eBay has a history of transparency and openness with the community that far exceeds what any company has done. Our site and information of our members is absolutely safe."

What upsets some bloggers, however, is the censoring of boards that discuss security issues, such as the Vladuz case. They also say they believe there has been an increase in the number of hijacked eBay accounts.

eBay blames hijacked accounts on users who are tricked by phishing campaigns. England said on Friday that the "number of account takeovers has not increased."

Related stories:

"He's Baaack - Vladuz "Hacker" Taunts eBay" (AuctionBytes)
http://www.auctionbytes.com/cab/abn/y07/m02/i23/s01

"Mysterious "Vladuz" again hacks eBay employee servers" (Register)
http://www.theregister.co.uk/2007/02/23/vladuz_strikes_again