Notice: Undefined offset: 1 in /usr/local/src/wordpress/wp-content/themes/montezuma/includes/parse_php.php on line 79

What Is Going On With eBay?

I’ve been a member and seller on eBay with the same user ID since 1998, and regularly turn to the site when I want to buy or sell just about anything you can mail.   But recently there have been attacks by criminal gangs on user accounts which eBay seems to be unable or unwilling to inhibit.   These gangs take over an innocent user’s account, possibly by tricking them out of their username and password (or possibly through an internal eBay vuln, which I think is more likely), and then use that account to sell non-existent items (and collect the money) and to seek and find more victims.

Many of the compromised accounts have 100% positive feedback, and had prior sold hundreds of items.   One victim who had his account hijacked says he was locked out of his account, and then later billed “around $50” by eBay for seller’s fees on items he had never heard of.   When customers click on a scammer’s listing, they are redirected to a professional, official-looking page which asks them to log in and ‘confirm’ their credit card and bank account details!   The items ostensibly for sale in these compromised listings range from smartphones and TVs to laptops and bicycles.

Users are taken to a fake page like this by XSS.   But notice the URL is not eBay and has the country-code of Ukraine, the worst for scams next to Nigeria!   Usually  though customers will only see the right-hand side of a long string of gibberish and won't notice.

Users are taken to a fake page like this by XSS.   But notice the URL is not eBay and has the country-code of Ukraine, the worst for scams next to Nigeria!   Usually though customers will only see the right-hand side of a long string of gibberish and won’t notice.

This vulnerability stems from users’ ability to put custom Javascript and Flash content into their listings pages.   Many sellers use these to make their pages seem more appealing, with animations and other compelling techniques.   But Javascript and Flash, means that malicious code can be embedded in the listings’ pages — enabling ‘cross-site scripting‘ (XSS).   XSS causes users who simply view a listing which appears legitimate, to be automatically redirected to a malicious webpage designed to steal user information, and lo, many people fall for it.

Some say this vulnerability has existed on eBay since February, although this very sort of account takeover happened to me last year, and also I know that Javascript and Flash have been allowed for years.   How did they get into my account?   No one had asked me for my eBay credentials, and I never got a phishing email regarding eBay.   I audit all exchanges, and so would notice.   I have Javascript turned off (with NoScript) for everything except functions which are absolutely necessary, and then only enable it temporarily.   I run TorBrowser for everything, which is a hardened version of Firefox.   This is why I suspect some internal vuln in eBay’s systems which is allowing these account takeovers.

Recently eBay made a statement:   “Many of our sellers use active content like Javascript and Flash to make their eBay listings perform better.

We have no current plans to remove active content from eBay. However, we will continue to review all site features and content in the context of the benefit they bring our customers as well as overall site security.

~~   Unsustainable Risk   ~~

eBay is such a high-profile site that it is inevitable that criminals will target its users.   Given the large volume of the site and the company’s resources, in my opinion there is no excuse for allowing unfettered use of Javascript and Flash.   This not only victimizes eBay’s best users, but enables an adverse dragnet to bring in more victims.   Why does eBay insist on allowing Javascript and Flash?   That’s a mystery.   Surely it’s not because of seller pressure, because eBay happily took a blowtorch to the face when they took away sellers’ ability to leave feedback for buyers.   And there is practically no other place for sellers to go.   Well maybe Amazon, but that’s not the same difference.

Until eBay can automatically identify malicious links, they must at least disable Javascript until they have some way of better mitigating the risk.   My suggestion for a temporary solution would be to allow only a library of carefully vetted Javascript objects to be used, which could be made broad enough to serve many if not most needs.   My long-term solution would be switching to pure HTML5+ and CSS3+, which would also solve a number of other issues and reduce costs.

~~   Congratulations, Your Item Sold!   ~~

One user whose account was used to make malicious listings with the XSS vuln said that his account had been “acting weird“.   He was temporarily locked out, and listings were posted to his account by someone unknown to him.

I kept getting emails saying, ‘Congratulations you’ve sold your iPad’.   Well I hadn’t had an iPad for sale!   I sent an email to eBay telling them there’s something wrong here, but they didn’t respond.   Then they sent me an invoice saying I owe them $50 for ‘my selling fees’.

Many of the scam listings had, "Contact me before you bid" in the title.

Many of the scam listings had, “Contact me before you bid” in the title.

eBay’s usual response when alarmed victims email them is, “Account takeovers generally occur as a result of a user disclosing their IDs or password.   Unfortunately, it is a common practice of criminals to exploit well-known, trusted brand names like eBay to attract consumers and then lure them to a fake website or into other fraudulent situations.”   In many cases eBay advises a victim to ‘clear their browser’s cookies and cache’, lol.   Poor GrandMa…

Granted, there’s always a trade-off between making a site easy to use and attractive, versus making it secure.   But eBay is far too susceptible to these sorts of attacks now and must move further toward security, for the protection of their giant, trusting user-base.

,'after' => '

') )