http://www.codetalker.com/advisories/misc/bwc-990420.html Title: Ebayla Bug - JavaScript eBay Password Theft Date Issued: April 20, 1999 Last Modified: April 20, 1999 Code: BWC-990420 Source: Misc THE EBAYLA BUG AND HOW TO PROTECT YOURSELF http://because-we-can.com/ebayla/default.htm This page describes a security problem that Blue Adept discovered with eBay's on-line auctions on March 31, 1999 (realaudio interview). The security hole allows eBay users to easily steal the passwords of other eBay users. The exploit involves posting items for bid that include malicious javascript code as part of the item's description. When an unsuspecting eBay user places a bid on the item, the embedded javascript code sends their username and password to the malicious user by e-mail. From the victim's point of view, nothing unusual seems to have occured, so they are unlikely to report/complain to eBay. Once a malicious user knows the username/password of the victim's eBay account, she can assume full control of the account, including the ability to: * create new auctions (automtically charging the victim's account) * place bids in the victim's name, * retract legitimate bids in the victim's name, * change the victim's username/password, barring them from eBay, * associate bogus negative/positive comments with an arbitrary seller, * prematurely close an auction being run by the victim. * insert the ebayla code into the victim's auction. (The code could be altered to do this automatically, which would constitute an ebayla virus). The security problem is dangerously easy to take advantage of. A malicious user needs only to embed the javascript code into their description of an item for auction. A walk-through of the exploit demonstrates step-by-step how any user can steal eBay passwords. Blue Adept notified eBay that a 'huge' potential security problem existed on March 31,1999 and offered assistance (but as of May 7, 1999 has only received form letter KMM798062C0KM in reply). Information about the ebayla exploit is being made publicly available to speed the process of fixing the security hole. TRY THE EBAYLA BUG DEMO ON YOURSELF! Visit a working demonstration of this exploit at eBay! The demo works with any javascript-enabled browser, such an Netscape or Internet Explorer. Users must register (free) with eBay to place bids. The demo is Blue Adept's own auction infected with eBayla code. WARNING! When you bid on this item (or even just review your bid without placing it), your username and password will automatically be mailed back to because-we-can.com. http://cgi.ebay.com/aw-cgi/eBayISAPI.dll?MfcISAPICommand=ViewItem&item=93164375 HOW TO PROTECT YOURSELF Unfortunately, the potential security issues at eBay are difficult to spot and avoid. If you are unfamiliar with spotting suspect javascript in the docsource of an html document, the best way to protect yourself may be to avoid using eBay until adequate html filters have been implemented.