Saying it was tired of waiting for eBay to fix a security problem on its platform that has existed for years, German watchdog group Falle-Internet.de exposed the vulnerability to journalists in a live demonstration on Tuesday. Falle-Internet.de was able to display reporters' eBay account information on a special page once reporters had visited an eBay Germany listing that contained malicious code similar to that used by scammers.
The security vulnerability is not new - the United States Computer Emergency Readiness Team (US-CERT) wrote about the cross-site scripting vulnerability on eBay in a research note in 2006 (http://www.kb.cert.org/vuls/id/808921):
An attacker may be able to obtain sensitive data from the eBay web site. As of the publication of this document, attackers are using this vulnerability to redirect auction viewers to phishing sites and to modify the eBay auction page to steal credentials. A wide range of impacts may be possible, including disclosure of passwords, credit card numbers, or other personal information. Likewise, information stored in cookies could be stolen or corrupted. An attacker could also exploit web browser vulnerabilities that require scripting support.
To view the exploit, AuctionBytes was instructed to log into eBay and visit a specific auction that had been created by Falle-Internet.de.
By loading the auction into our browsers, with Javascript and Flash enabled, AuctionBytes was able to see the private information for our account on a separate website page set up by Falle-Internet.de. The information included IP, Name, address, eBay User ID, email address, Bank Routing number, the last 4 digits of our bank account number, the last four numbers of our credit card, and the credit card expiration date. The page also showed auctions that were being watched, as well as saved searches and favorite sellers.
Click on Image to Enlarge
Clicking on the Bid button on the eBay listing redirected AuctionBytes to a spoof bidding page with a cleverly concealed URL designed to look as though it resided on eBay.
Click on Image to Enlarge
Once we had entered our eBay User ID and password into the bidding page, the password appeared on the special page set up by Falle-Internet.de.
Click on Image to Enlarge
The contact at Falle-Internet.de said he's been monitoring this vulnerability for several years and that hackers are using it for phishing campaigns. Are they using it to hijack PowerSeller accounts? "They are hijacking any type of account, but PowerSellers are preferred. There are various techniques - spoof mails are sent inside the eBay system, or they insert malicious code in auctions," he said, adding that scammers also use Watched-auction data to send fake Second Chance Offers (SCO) for items victims are watching.
According to Falle-Internet.de, it has found huge collections of eBay cookies on the web. "This site is assigned to Romanian criminals, together there were stored drafts for automated fake SCO sending in different languages."
eBay spokesperson Usher Lieberman said eBay.com uses technology tools that have been very effective in blocking this known exploit. "Listings with malicious code are extremely rare on eBay.com," he said. When asked how long it would take eBay.com's software to detect listings containing malicious code, Lieberman said, "those listings should never appear."
However, eBay Germany handles the issue differently using policy, Lieberman said, stating that the eBay Germany team had to work the way that works best for their market. A statement issued by eBay Germany on Wednesday outlined the policy:
Sellers are only able to use active content in their item descriptions if they are either Powerseller, ID Verified or Verified PayPal member or if they are registered on eBay for more than 500 days and have more than 500 feedback points. We have deployed technologies that ensure that the use of active content is limited to only those sellers that meet the criteria mentioned above. These criteria ensure that only our most trustworthy sellers have the possibility to use active content. Additionally, eBay employs technologies that detect such malware and removes critical listings from the marketplace.
Fall-Internet.de had set up their listing for the demonstration on eBay Germany, but AuctionBytes accessed the listing by entering the Item number on eBay.com. Lieberman said he wasn't sure how eBay.com's detection software worked with cross-border listings.
A Vulnerability Analyst at the CERT Coordination Center told AuctionBytes via email on Tuesday, "It is our understanding that the eBay web site still allows scripts in auctions. The best way that users can protect themselves is to disable scripting for the eBay web site. This can be accomplished by following the Securing Your Web Browser guidelines: http://www.cert.org/tech_tips/securing_browser. Internet Explorer users can modify the settings for the security zones, and Firefox users can use NoScript to accomplish this. The instructions are outlined in the above document."
Lieberman said users should have little difficulty viewing eBay with scripting disabled other than certain tools such as Countdown, but said it's not the ideal way to navigate the Internet.
Comment on this story in the AuctionBytes Blog:
http://blog.auctionbytes.com/cgi-bin/blog/blog.pl?/pl/2008/3/1205402244.html
