My view into „your eBay“ - the eBay XSS flash
exploit

Criminals can access data of eBay members by using a security gap. Unsuspecting victims simply need to visit a specific eBay listing, no additional link must be clicked. During viewing the item page his/her name, address, E-Mail address, and other data can be submitted to third parties.

The function has been demonstrated by »falle-internet.de« by using a specifically prepared listing:

Besides the personal data also all latest trading activities (successful or not) as well as the watched items can be viewed. Also the personal mailbox „My Messages“ is accessible.

In „My eBay“ is shown:

• Name and complete address
• E-Mail address
• Bank data for Direct Pay (partly x-ed)
• Credit card data (partly x-ed)
• Additional information for password verification
• List of won / bought items
• List of „Didn't win“ items
• List of watched items
• All messages sent and received through the eBay system in „My Messages“

Also the criminal phishing of passwords is made relatively easy by this XSS security gap. By manipulation of certain listing elements a fake login page is presented to the victims, which forwards entered passwords to the criminal attackers. The deception is more perfect than the usual forwards to external sites – it is possible to fade in the fake login directly to the listing page, the victim gets the impression that he/she is still on an official eBay page.

Each logged-in eBay member, on who's computer the Flash plugin is installed, and who has allowed JavaScript, can become victim of this security gap. The test showed that data scripting is possible completely unrecognized by the victim.

And so the view into the personal sphere of „My eBay“ works:
The criminal lists a rather prominent item on eBay, with a specially prepared Flash animation embedded into the item description. If a logged-in user visits this page his browser loads the malicious code of the scammer. This contains JavaScript which sends the eBay cookies of the user to the criminal. This import of external codes is already known since years as Cross Site Scripting (XSS).
As the Flash file is executed only on the computer of the victim user, eBay is unable to check the listing on prohibited JavaScript executables. eBay members can protect theirselves by generally disabling JavaScript in their browser, however, in that case the use of normal eBay pages is heavily influenced, important functions will not work without JavaScript.

Scamming gangs are quite at home in the techniques of JavaScript and XSS, and use dangerous Flash codes since long in fraudulent eBay listings. The problem should be known to eBay, because already one year ago members of »falle-internet.de« reported such listings to the auction house.

The variations of proven listing manipulation have increased considerably. One frequently used version is the manipulation of listing description in the browser of the viewer. Pending auctions are changed into „Buy-it-now“ listings, actual high bids are falsified, or seller´s feedback details are changed by overlay. Rather common is also the script which opens a mail window once the user clicks anywhere in the listing:

The scammer´s E-Mail address and the reference line is filled in already in order to support contact by the victim:

Further examination clearly shows preparations for additional scamming attempts by insertion of Flash files:

Even further goes a special manipulation of the »Bid« button which has been noticed already rather frequently. If a user intends to bid on the item, he/she will be transferred to an external fake login site, from which the phished password is directly mailed to the scammer.

To bait a large number of victims the criminals regularly use attractive layouts or frequently asked items:

By clicking such interesting offer the victim is automatically transferred to the external fake login form:

All member logins and passwords typed in there are automatically mailed to the phisher.

Within a few days only hundreds of account details are phished and ready for use by the scammers.

3 months after we submitted specific information to eBay, and after more than one year knowledge about the real usage of the security gap by scammers, no effective reaction was performed by eBay. »falle-internet.de« therefore believes it is necessary to inform the public about this threat.

During research how criminals make use of eBay´s lacking security measures, »falle-internet.de« performed a practical demonstration test of the XSS Flash exploit under real conditions. Selected users could repeat the test, and they established that their personal data in „My eBay“ had been accessible to third parties.

Despite the fact that the danger by XSS is known since years, in early December »falle-internet.de« introduced the weak points including potential solutions to eBay Germany's »Law Enforcement Affairs« department. Mid December we also informed their department »Trust & Safety« again about the potential risks. Until today they are not removed effectively.