Slashdot Mirror
Hacker May Be Exposing eBay Back Door
pacopico writes "A hacker specializing in eBay cracks has once again managed to masquerade as a company official on the site's message boards, according to The Register. A company spokesman denies that 'Vladuz's' repeated assaults on eBay point to a larger problem with the site's security. Of course, eBay two days ago claimed to have found a way to block Vladuz altogether, only to see him pop up again. The hacker himself made comments indicating that the company's email servers are connected somehow to the financial information eBay hosts."
The hacker himself made comments indicating that the company's email servers are connected somehow to the financial information eBay hosts.
$100 says this guy has a huge short on ebay stock.
The theory of relativity doesn't work right in Arkansas.
Maybe ebay should just pay the guy to tell them how to fix their system and be done with it. You know that this will all end with an exploit for ebay being discovered and someone getting sued.
wow, that's quite an interested technical statement to say they found a way to block ANYONE forever. Anyone can sit down at any computer and you can't tell the difference. The only way would be if he's in jail and apparently he's not so I wonder but genius at eBay wrote up that statement. Btw in case you didn't know, eBay owns Paypal so obviously their general IT and technical designing isn't so great already.
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
...eBay is just a venue for people to exchange items, such as malicious code into an unexpecting user's browser.
When will they learn to do something simple like disallow META tags in item descriptions to stop redirects to sites with malicious code, rather than to hide such things and disavow any responsibility.
Sounds like the author has an anal fixation to me!
You just know what's gonna get posted soon...
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Your choice in Operating System does little to mitigate bad coding. eBay has never been known for their technical wizardry and coding sophistication. It wouldn't surprise me if their back doors were wide open. (If you knew where to look.) For example, instead of having secure B2B messaging channels between different offices and departments, they might use machine formatted Internet Email that gets decoded by machine on the other side. Which would mean that a lot of "financial information" could be travelling over "their email system".
10:1 says the guy is an employee who lost his gruntles.
Javascript + Nintendo DSi = DSiCade
Yes, operating system choice does little to mitigate bad coding however certain architectures like ISAPI are very complex and error prone. It isn't bad coding as much as it is bad choice of architecture. I have a feeling that in the beginning, some of the developers were asserting that some things were a bad idea and got fired because they weren't in the MS camp. I would like to see a count of people who have successfully implemented a _complex_ ISAPI application without possible security issues coming up after deployment. I have built a few and I will tell you that it is not like building a php application. (But ISAPI is pretty damned scalable if done right. (aka you don't have to call CoInitialize())
It might not be possible to fix their system.
According to Netcraft, eBay appears to heavily use Microsoft software for their main North American operations. If that list is correct, it seems that most of their sites run on Windows 2000 or Windows Server 2003, using IIS 5.0.
If these exploits are due to problems within Windows or IIS, it's basically outside of eBay's control as to whether or not such things get fixed. But we also have to question the competency of developers who would choose to base any significant, Web-based system on Windows. From a technical standpoint, it is insufficiently secure, and thus anybody in the know would avoid it. Web sites like eBay call for the use of high-quality, high-security operating systems like Linux, Solaris, HP-UX and AIX.
I told EBAY I could resolve this for them once they send the PS3 to my address in Nigeria. The payment through Paypal will not post to their account until after they have mailed the package. What don't they understand about this?
Right, because Apache magically prevents you from misconfiguring your servers and writing bad code?
Both IIS 5.0 and IIS 6.0 can be easily secured, IIS 6.0 is simply more secure "as installed". I ran one of the biggest hacker targets on the Net on IIS, and every single moron who announced giddily that "we are so owned, we are so stupid" walked away with their head hung low. Web site security is a mix of good administration and secure code. Thats it. Choice of OS has surprisingly little to do with it.
:-) That's really funny.
Take off every 'sig' !!
Proof: http://havenforscammers.com/
I know I cannot be the only person thinking "what a loser." Maybe this guy has some motive behind his actions, but if you're in the world of IT Security you are relatively familiar with Romanian whackers. They can take the most mundane abuse of something and claim it as hacking. This is a perfect example. Is someone cracking, phishing, or scamming their way onto eBay's message boards that much of a "prank" or "hack"? I do not think so. Does it spell out that there is a security weakness somewhere? Absolutely. You will find this in almost any large organization when someone specifically targets them, their employees, and/or users. I cannot begin to account for how many times various ISP have been publicly hacked/owned/pranked, far worse than this.
:)
Do that many people really get their news from eBay message boards? This guy is getting on account and posting messages. What is his next hack going to be? Use a stolen or fraudulently created account to post a *FAKE* auction? This guy can hardly penetrate systems at will. I think there's a reason he only seems to pop up at certain times. Classify this guy as another moron that needs to find something better to do.
Hopefully this loser will join the ranks of Victor Faur. Not so much in notoriety, but in the loss of the right to use a computer or travel internationally.
I posted this a few days ago. E-bay customer service still hasn't shown any indication they intend to fix this problem: E-Bay's sing in server can assist phishers.
Joshua J. Kugler
Sorry man, but you're full of it. Apache out of the box _is_ more secure than IIS out of the box.
But both of them can be secured properly.
There are MILLIONS of IIS servers running sensitive information.
You saying otherwise is FUD every bit as disgusting as anything Microsoft produces.
Everyone needs to work together to bust the fud.
e-bay Has alot of issues.. What ever this individual is exposing,, Take it with integrity.. All they want to do is throw money at it, and find ways to screw anybody and everybody as much as possible.. 1 out of 6 people are millionaires on "paper", because of this e-bay engourages them to work at a significantly reduced pay rate. They do this because they are borde, and e-bay allows them to act accordingly. Meaning, because they have nothing to loose that they can make everyone's life hell around them, with out any quantifiable reprimand.. This corporate culture comes from above, like shit rolling down hill.
Security breaches on ebay servers might explain the rampant theft of people's credit card info on ebay. In most cases ebay are apparently still trying to make customers and sometimes banks pay for the losses rather than admit to their servers being compromised.
FTA "but insist the servers that administer those functions are balkanized from databases" That proves it - he IS from Romania! But seriously, if Ebay's servers really are Balkanized, (http://en.wikipedia.org/wiki/Balkanize), "Balkanization is a geopolitical term originally used to describe the process of fragmentation or division of a region into smaller regions that are often hostile or non-cooperative with each other", maybe it's no wonder they have problems.
Go! boney m. rah-rah-rah bring back the czar! burn putin !!
Is it the hacker is getting more experts or the system admin is less brilliant??
Read this:
2 &postdays=0&postorder=asc&start=192&sid=60d0e05bbc 249bae59e846c158ab9524)
k er-vladuz-carrying-on/
http://www.auctionguild.com/generic150.html/
and this from a an ebaY user who goes by the handle firemeg (posted to a PheeBay.com discussion forum board http://www.pheebay.com/forums/viewtopic.php?t=119
Well, I went and did it... I got booted off the eBay community forums for 7 days. How convenient for them. I bet you're wondering what type of malicious thing I said to make them kick me off for a week...
I simply suggested that all posters [to the ebaY discussion boards] put the number of what their post should be at the top of all new posts. (ie. so everyone could see how many posts eBay was pulling and how censored the board over there are). This was the exact post:
My post should be: #357
Let's all start to use the above line, along with the corresponding post number at the top of each of our posts...all the time!
Heaven forbid we number our posts. Someone in the media might have a bit of proof how many posts go poof. I also got an email through my website from another user who had also gotten a 7 day suspension today. He more-or-less suggested that ebay be as quick to remove scam/fraudulent listings as they are to remove posts that they don't like.
If you missed it, Blogging Stocks has another article on Vladuz that was published this afternoon: http://www.bloggingstocks.com/2007/02/23/ebay-hac
_________________
www.firemeg.com (firemeg is blogging how Meg Whitman needs fired and ebaY's cratering in general)
PS you all should be shorting ebaY right now...the backlash against ebaY Team Legal is gonna get butt-ugly