eBay redirect attack puts buyers' credentials at risk (UPDATED Again!)

[Ethnod]

UPDATE & TLDR:

"A flaw that has exposed eBay customers to malicious websites has been affecting the site since at least February, the BBC has found."

Or, just dont use Ebay anymore  :unsure:

 

Long story:

Ebay have been aware of this in some shape or form since February when they were advised of this security issue.

 

 

 

An impressively advanced attack on Ebay resulted in at least 2 listings being compromised. If you clicked on the listing you were brought to an Ebay Welcome screen asking you to log back in again, it was here that they tried to get your credentials. Man, not that I use Ebay that much any more but I do from time to time, going to have to be more careful.

 

 

Seems that Ebay were alerted on Wednesday but the compromised listings were not closed for a further 12 hours after receiving a query/notification from the BBC that the listing were still live. And we are talking about the known ones, how many were actually compromised? How many more were compromised? Are there still any up? Has this happened before?

 

To be honest this seems like the kind of hack that even I might fall for, I use ebay.co.uk and Ebay.ie and they are for ever getting confused and logging me in and out, plus they seems to be separate entities for some reason as while my credentials are the same the information I have access to is not always

 

Time to change passwords... again

 

Update portion

 

Readers of the BBC have contacted them and the BBC conducted a further investigation and found that Ebay users had actually tried to warn Ebay about this issue before, more specifically the BBC found that:

• Innocent user accounts were hijacked in order to place the fake listings. Many of the accounts had 100% positive feedback, and had sold hundreds of items.
• One victim who had his account hijacked told the BBC he was locked out of his account - and later billed "around £35" by eBay to cover seller's fees for items he had not auctioned.
• When customers clicked on a listing that had been compromised, they were brought to a sophisticated, official-looking site that asked victims to log in and share bank account details.
• The types of items used to target victims ranged from smartphones and televisions to hot tubs and clothing.

 

Seems Ebay has acknowledged that the use of Javascript and Flash on its pages, an attempt for sellers to promote their own pages and make them look more appealing, has “significantly raised the likelihood that malicious code could be included within the site's pages - due to a hacking technique known as cross-site scripting (XSS)”

 

James Lyne from Sophos stated that "The summary is that it is exceptionally dodgy and redirecting the user to a nasty web page with some really suspect scripts," also saying "At present we can't get our hands on the end payload, so can't be sure of the attackers complete motive, but it is clear there are still nasty malicious redirects on the eBay site."

 

To make things worse it seems that while the BBC has discovered evidence that the breach has been going on since February, there are some security experts saying that its being going on for more than a year. I just cannot get over how baffling this is. Ebay was supposed to be secure and even if it was not for a time, I mean nothing is 100% secure, but its been going on for more than a year D: Come on Ebay ffs, get your shit together.

 

Turns out that there are a number of security professionals just waiting to mount criticism against ebay and their security precedues.

Mikko Hypponen, from "It's not OK for eBay to have cross-site scripting vulnerabilities on its website… If they can't make it work without the risk of exposing users to cross-site scripting, they shouldn't allow it."

 

Even after reportedly being contacted by users who’s accounts had been compromised, being advised that they did not place the adds they were still doing very little (escalating case with no further action to come later) yet still looking for users to pay for items that they never sold.

 

Personally I wont be using Ebay again for some time, it will need a massive over-hall, remove any scripts and to have a major security firm confirm that they are again secure for users to go back before I will even consider it. Plus I tend to use Amazon now so I can use the Linus MG affiliate code so I think this might be the end of me and Ebay. I will also be contacting friends and family and ensuring that they do not use Ebay for the foreseeable future.

 

So, is this the death of Ebay?

 

Original Source: (some how I forgot to include this last time)

http://www.bbc.com/news/technology-29241563 

 

Updated Source:

http://www.bbc.com/news/technology-29279213

 

Updated 2 Source:

http://www.bbc.com/news/technology-29310042

[helping]

well damn, I might have actually fallen for that myself if auto complete recognizes the form.

[qwertywarrior]

wow

any detailed information on the attack ?

[Wano97]

Yeah I definitely would fall for that

[Electrostatik]

Video of the alleged scam

 

 

Pretty devious

[The_Evenger]

I probably would have fallen for that.

[MeltingPoint]

Good thing I haven't bought anything from eBay recently.

[Trik'Stari]

Good thing I haven't bought anything from eBay recently.

Same here. Not going to for a while now.

[KeltonDSMer]

This makes me glad I never merged my Paypal/Ebay accounts.

 

Thanks for the heads up @Ethnod !

[Ethnod]

"A transcript from February this year showed user Paul Castle explaining the issue, in detail, to eBay support staff."

 

FUCK!!

I'm pretty sure I have used ebay since Feb and its quite possible I would have fallen for this ... time for mass password changes, review of all Paypal and bank payment over the last 9 months ... there goes my Friday night

 

Source:

http://www.bbc.com/news/technology-29279213

[NateGSR117]

Good thing I haven't use ebay for a while and change my password already so, I should be good, "Should".

[razor767]

I've thoroughly checked my accounts and can't find anything usual. Phew!!  

[Ethnod]

Updated article from BBC
http://www.bbc.com/news/technology-29310042

 

Readers of the BBC have contacted them and the BBC conducted a further investigation and found that Ebay users had actually tried to warn Ebay about this issue before, more specifically the BBC found that:

 

Innocent user accounts were hijacked in order to place the fake listings. Many of the accounts had 100% positive feedback, and had sold hundreds of items.

One victim who had his account hijacked told the BBC he was locked out of his account - and later billed "around £35" by eBay to cover seller's fees for items he had not auctioned.

When customers clicked on a listing that had been compromised, they were brought to a sophisticated, official-looking site that asked victims to log in and share bank account details.

The types of items used to target victims ranged from smartphones and televisions to hot tubs and clothing.

 

Seems Ebay has acknowledged that the use of Javascript and Flash on its pages, an attempt for sellers to promote their own pages and make them look more appealing, has “significantly raised the likelihood that malicious code could be included within the site's pages - due to a hacking technique known as cross-site scripting (XSS)”

 

James Lyne from Sophos stated that "The summary is that it is exceptionally dodgy and redirecting the user to a nasty web page with some really suspect scripts," also saying "At present we can't get our hands on the end payload, so can't be sure of the attackers complete motive, but it is clear there are still nasty malicious redirects on the eBay site."

 

To make things worse it seems that while the BBC has discovered evidence that the breach has been going on since February, there are some security experts saying that its being going on for more than a year. I just cannot get over how baffling this is. Ebay was supposed to be secure and even if it was not for a time, I mean nothing is 100% secure, but its been going on for more than a year D: Come on Ebay ffs, get your shit together.

 

Turns out that there are a number of security professionals just waiting to mount criticism against ebay and their security precedues.

Mikko Hypponen, from "It's not OK for eBay to have cross-site scripting vulnerabilities on its website… If they can't make it work without the risk of exposing users to cross-site scripting, they shouldn't allow it."

 

Even after reportedly being contacted by users who’s accounts had been compromised, being advised that they did not place the adds they were still doing very little (escalating case with no further action to come later) yet still looking for users to pay for items that they never sold.

 

Personally I wont be using Ebay again for some time, it will need a massive over-hall, remove any scripts and to have a major security firm confirm that they are again secure for users to go back before I will even consider it. Plus I tend to use Amazon now so I can use the Linus MG affiliate code so I think this might be the end of me and Ebay. I will also be contacting friends and family and ensuring that they do not use Ebay for the foreseeable future.

 

So, is this the death of Ebay?