Slashdot Mirror
The eBayla Virus
An anonymous reader linked us a
Tasty Bit from
Tasty Bits about the eBayla virus: an auction item that
contains some Java Script that will email your private eBay
info to the creator of the auction. Eek.
← Back to Stories (view on slashdot.org)
If (as it appears) he simply exploited it before pointing it out and giving them a chance to fix it, he's cracker scum and deserves to lose. Burglars can't pass themselves off as aspiring locksmiths.
I'm with you. There have been so many privacy and security exploits that abuse the big browser implementations, that I only ever enable it because the halfwits at my credit union can't make online banking work correctly. It's a shame; ECMAScript is a pretty cool little OO language (if hard to make efficient), but it just isn't safe enough for its biggest current niche.
...he'd have to test it out inorder to make sure that it REALLY worked, wouldn't he? Your analogy is a little off...a burglar could find other means of access to different locks, whilst the coder could only test his javascript on the ebay auction engine.
"Fuck The Planet...Before It Fucks You"
http://www.dick.mailbox.co.uk/ebay.gif amused me.
t .html
;-)
Followed by an email which says:-
WebTV users -- please visit the link below for instructions on accessing secure pages:
http://pages.ebay.com/uk/aw/secure-webtv-suppor
Which gives a 404
great, another stereotype that can be cast upon linux users.....
If they have money to count, then they don't need to make eBay better. P.T. Barnum.
I think you can't really get mad at eBay, they
probably weren't expecting their system to
be vulnerable to javascript hackers, but when you use
a language to handle any kind of secure information
you are asking for trouble, but you have to trust that
things like this don't happen.. I think eBay is using this user as a
scapegoat for the blaim, they probably knew of the hole but saw no
purpose in fixing it until someone would exploit it, and
if they had not acted in this way nobody would feel sympathetic.. If they had not and said "we know about it",
then they would lose their customer base.. I'm sure in their minds they thank this man a lot but any threats they've lodges are only shallow PR for the eBay community to swallow.
Doesn't Sun own part of Netscape now?
I read the Tasty Bits and news.com articles, and neither said anything resembling "the suspect had already reported the problem to eBay, who did nothing."
Messengers don't shoot first.
A WeIrD article does claim he had clued them in awhile ago, with no effect. Apparently neither CNet nor Tasty Bits thought that was important enough to mention - what appallingly shoddy reporting.
Just went out to eBay to check out his JavaScript trojan/bug and it looks like eBay has cancelled a bunch of auctions and (possibly) edited several others to wipe this off their system.
Questions : Was this automated or manual? If it's automated, can their process be fooled and if it's manual, how fast is the response time? Also, if it's manual, how good are the people checking things? Would the trojan hidden in an ad for a JavaScript reference manual go unseen?
Personally, I've turned JavaScript off.
If its a virus, shouldnt it copy itself to other auction items? Does this one do that? I understand that its definitely possible to do what this guy did, but is it possible to make a real virus out of JS? Not that I'd want to, just curious ;-)
The really bad thing is that this javascript is displayed on the same page that the user enters their bid amount. It really wouldn't be to hard for someone to write javascript that:
1) increases the amount bid before the form is submitted.
2) just tells someone else what the proxy limit is. (Imagine, you submit your bid, and cracker_foobar is right up there, bidding one dollar below your limit. Gee, someone seems to know a lot about what I'm willing to pay.) You could get away with this scam for ages. I wonder who is already doing this...
> ...I wonder who is already doing this...
It's not too hard to find out. Just do an eBay search of item descriptions for javascript and examine any item that doesn't seem to have anything to do with web design. I just tried this and of the 143 matches, several items were mysteriously cancelled by eBay, but there was one very recently added item that included the ebayla code.
eBay is gonna have to fix this quick or get in the habit of manually checking all of their auctions for dodgy javascript, but for a web company worth billions they sure don't seem to invest much of it in web design expertise.
eBay is being ridiculous (also pigheaded and stupid and arrogant and other such things), threatening the guy who found the hole for them. When that sort of thing happens you fall on your feet fixing it, and then you (discreetly) fall on your feet thanking who found it.
If they were to take action against the finder (presumably to protect their own asses), they might find what it's like to get the derision of the broadly-variable security reseach field; that ranges from negative mention in papers few people read to script-kiddie holocaust.
Annoying too that the media's calling this a "virus," which it isn't, not even close.
Posted by labisso:
It's always been my personal opinion that Ebay and windows are alot alike-- hundreds of fun-filled security holes and error messages wrapped up in a nice GUI.
But maybe that's just me.
"He was dead when i got there, i swear!"
Posted by My_Favorite_Anonymous_Coward:
Hi,
I havn't check the original "trojan", but I kind of get the idea of it. However, I remember that I could use absolute positioning in ebay. (but I didn't use "top:0; left:0" So I'm not sure if you can cover the top!)
Make a fake bidding form is quite easy, simply send the form to your server side and redirect the user back to the actual confirmation page. And then you use or at the end to dump the real submit form. (even if you can't dump the real submit form, some bidder will still stupid enough to submit the upper form!!)
CY
Posted by My_Favorite_Anonymous_Coward:
Hi,
I havn't check the original "trojan", but I kind of get the idea of it. However, I remember that I could use absolute positioning in ebay. (but I didn't use "top:0; left:0" So I'm not sure if you can cover the top!)
Make a fake bidding form is quite easy, simply send the form to your server side and redirect the user back to the actual confirmation page. And then you use "commemt" or "table" tag at the end to dump the real submit form. (even if you can't dump the real submit form, some bidder will still stupid enough to submit the upper form!!)
CY
Posted by Condescending Unix User:
What about the poor bastards using WebTV. Does the WebTV browser support javascript fully enough to be vulnerable to this? And if so, can they disable javascript in their WebTV units?
I only allow the banks I use online (IE, they have my money) to use javascript or use cookies. I wish they didn't require javascript though so that I could use lynx which is prefered.
Everyone else, you don't need javascript. (I'll allow java if I'm in netscape which I'm not, only because java is designed for security) I allow a few sites like /. a cookie, but unless you accually do something that needs a cookie you don't get one. (Yes I know cookies are relativly secure)
Post all info to a news group, so that you can't get fingered by "hmmmmm, all this information seems to be being sent to joe.stupid@unlucky.isp.com"
Or just have it send to the address of someone you don't like, who's email account you have managed to break into.
"Remember, there never were pineapple-almond cookies here."
The demo isn't properly a virus, but it is possible (but difficult) to make it one. It is not inconcievable to have a script look at any auctions the user may have, and change the description to include the virus code. To me, that would make it a true virus.
< shows up as <. Similarly with > (>). It's the browser that's ignoring the tags, not Slashdot's fault.
In Soviet Russia, Jesus asks: "What Would You Do?"
Ack, I give up...
In Soviet Russia, Jesus asks: "What Would You Do?"
I'd class this as a trojan since it opens your data up to the outside.
If you want to make it a virus, perhaps a two part virus, have it or the other part(back home) scan ebay for items for sale(modifiable pages) owned by the person who's ID you just stole. If they have any such pages, log in and modify them to include the viral code.
Then try to log in to their isp, a few good guesses based on their personal data and I bet more than half have matching passwords. See if they have any home pages, edit them to include the viral code...
Good judgement comes from experience, and experience comes from bad judgement.
- W. Wriston, former Citibank CEO
In its present form, you're right, it's just a trojan horse. However, if you actually read the page linked to above, you'd see that the possibility exists for this to be transformed into a virus.
Say I run the trojan on my auction. It steals your password. I've programmed it to create more auctions, supposedly by you, that also steal your password and send it to me...It spreads for every person that bids. Wouldn't it be a virus then?
My $.02
It's not just viewing an auction. This requires the user to place a bid on the auction (which requires entering the username & password), so it only affects a few people.
-mike kania
eBayla looks a lot like eBay LA (or eBayLA), which is the name of eBay's upcoming Los Angeles-area listing directory. "eBayla virus" is a little too cute to be anything but a nickname.
I always regard it as a goof-up when I find I've left my JavaScript turned on in Netscape for no particular reason...
JavaScript was originally called "liveScript". "liveConnect" is something else... I think it's the think that lets Java and JavaScript (and possibly some other things) talk to eachother. One use for it is so Java applets can access cookies. (JavaScript can access cookies, but Java applets cannot. But if a Java applet can communicate with JavaScript on a page...)
In any case, I rarely have Javascript enabled (I've yet to see any use for it that makes it worthwhile, and plenty that make it a nuisance) and can't possibly imagine why an auction item would require Javascript to describe it.
The obvious solution to eBayla is to disallow Javascript in auction descriptions -- unfortunately I think the folks at eBay are too busy counting their money to actually do something to make the system better.
Stupid people will be persecuted to the fullest extent allowed by law.
I think the name has little do to with what kind of code it is (virus vs. Trojan) and more with the soundbite-ness of it.
Ebola virus = eBayla virus, etc.
I know I'm being pedantic, but a lot of people are griping about the inaccuracy...
Jay (=
http://www.news.com/News/Item/0,4,353 21,00.html
The summary about eBay's response:
eBay acknowledged that the JavaScript exploit works, but minimized its importance.
"We know it's there, but you have to put it all in perspective," said eBay spokesman Kevin Pursglove. "We have a very open environment that lets individuals describe what they're selling, and JavaScript is there so people can make the best of their abilities to describe an item."
-- Bryan Feir
I've been setting up an auction website myself, and the easy way around this is simply limiting the allowed HTML, much the same way slashdot posts do :).... Letting them use , etc, is usually not a problem, but letting go by?
:). What I can't understand is that eBay even strips the quotation marks. Ah, well....
Really f***ing ignorant, ebay
-Rahga
yet another perl + CGI + html guy
$itemdescription =~ s/*script|/ :)
I said it was quick
$itemdescription =~ s/|//gi
g for all occourances
i for ignore case, as in""
on the first i forgot the "... the >'s is also necessary (think "I've got a script!!!
....")
$itemdescription =~ s/(less than)*script*(greater than)|(less than)\/*script*(greater than)//gi
And is there any "slashdota virus"? No, I don't think so ;)
I hate to nitpick, but it annoys the bejeezus out of me everytime something nasty is discovered and people immediately scream "virus".
I think the problem is not going to be with eBay. The major problems will be with sites like ubid.com, and onsale.com. Both places require you to enter in actual credit card information before you can bid. If someone was to exploit that, they could mess things up a lot.
-Nicholas Blasgen
I followed the link(s) about this, and from what i can discern, this guy just wrote a Javascript that prompted people for their password info.
The point is that the victim has to be STUPID enough to enter their password.
This is a classic case of a "social" or "psychological" hack. It does not rely on the cunning or skill of the programmer, it relies on the gullibility of the victim.
It would appear that this can be a virus in that it can alter all of my auctions after I bid on an infected item, infecting them in turn. It can then propagate itself this way indefinitely (or until every single auction is infected :-)
Jason Dufair
"Those who know don't have the words to tell
Jason Dufair
"Those who know don't have the words to tell
and the ones with the words don't know too w
I think this is a hoax. It would be unlikely that anyone could get your username and PW when you look at their auction, because that information is not stored on your hard drive. The cookie that eBay sends you when you sign in might be on your HD, but a cookie wouldn't contain that info, just a unique identifier (anyone want to check this?)
What about people who are not members? You don't have to be an eBay member to view an auction, and even if you are a member, you don't have you sign in unless you are placing a bid.
Am I missing something? This just doesn't add up. I think we've been the victims of another virus hoax.
- CokeBear
------------------------------
"It is wrong always, everywhere and for everyone to believe anything upon insufficient evidence."
W. K. Clifford, "The Ethics of Belief" p. 282
Reality has a liberal bias
I seem to remember a court rule recently that declared personal information has intrinsic value... If someone uses an "EBayla" script, would that person (or EBay) be sue-able?
Ick.
This is a serious problem eBay has to deal with..
But wouldn' it be funny if this guy logged on to eBay and offered this javascript for sale? Include a snippet of code, with the guarantee that the script isn't active, and sell to the highest bidder?
eBay would really have to get their butts in gear quick!
I hope he doesn't have to suffer for his service to humanity.
AS
-AS
*Pikachu*
Am I missing something?
The way it works is that when you type in your username/passwd in order to make the bid, the JScript sends that to the originator and passes the bid info on to eBay. So, it's more like a Trojan.
To turn this into a real virus, take the username/passwd combos you have collected, use them to log in and modify that user's auction pages to include the JScript, and it starts to spread...Do it automatically, and there's a problem. How long before that?
Mike
--
Mike
--
"Wi nøt trei a høliday in Sweden this yër?"
Oh how tempting it is to slap together a few scripts and start this baby rolling. I'd make one addition to the thing...have it pop up anti-microsoft dialogs. Heheheheh...
Blar.
Is it just me or is eBay just one big security sink hole?
"The pen is mighter than the sword... But what if you can't write?"
I ate my tag line.
-=Ellis (D)25=-
I called this trojans.. They dont self replicate, just creat back doors and can delete files and ect.
Yes JScript could be used to make a virus, cept I think it would take alot of work and alot of code. It would be interesting to see if someone is developement in one, the code would be outragious.
"The pen is mighter than the sword... But what if you can't write?"
I ate my tag line.
-=Ellis (D)25=-
Well, that and the fact that it makes the Ebay interface break out in pustules and vomit black crap with bits of its lungs...
Wait. No. That's Win95 and me.
Sorry.
eBay runs IIS on NT...
Well, at least till EBay fixes it, all people have to do is disable javascript. I know I've been doing that for awhile. So those... Informational pop-up windows won't open when I close a page. Yeah, informational. -j
http://www.somethingpositive.net Funny + bitter = comedy gold
but its got a really cool name!
-- your knees hurt, don't they?
"JavaScript, which is unrelated to Sun Microsystems' Java programming language...."
Kudos to news.com for including that. I run into way too many people who confuse Javascript with Java.
The name "Javascript" was coined as a marketing tool to allow a scripting language (originally "liveconnect"?) to ride on the coattails of the Java programming language. Unfortunately, IMHO, the association has harmed the Java programming language.
Save the whales. Feed the hungry. Free the mallocs.
Well even the links state it's not a virus, but it is a good soundbite for the news.
I'm not sure which link you followed, but the one I followed explained quite clearly that just the simple matter of placing a bid on an auction (which requires your Ebay user name and password) would e-mail that same information to the person who had placed the script in the auction - with no warning to you. No special screens you wouldn't normall see on Ebay, no social engineering work required and no extra time taken.
Nothing to warn you that something other than an ordinary auction bid has just taken place.
If you are familiar with the way Ebay works this is easy to follow.
If (as it appears) he simply exploited it before pointing it out and giving them a chance to fix it, he's cracker scum and deserves to lose
It certainly doesn't appear that way to me... but then I read the article...
Ever hear of the phrase "shoot the messenger" - this is exactly what ebay is doing...
Initially I got back a very misinformed response recommending that I change my password. I finally (3 emails later) got them to understnad what I was talking about, and they claim that they are working on a JS filter and will have the status posted to:
http://www2.ebay.com/aw/announce.shtml
I also cautioned them against prosecuting blue_adept, since that wouldn't be very good for them in a PR sense...
Hopefully they listen.
Post all info to a news group, so that you can't get fingered by "hmmmmm, all this information seems to be being sent to joe.stupid@unlucky.isp.com"
eBay says they won't hold people accountable for bids entered with a pilfered password.
How do they intend to determine whether the bid was entered legitimately?
Seems like a wide open excuse for someone who does want to back out "Wasn't me who entered that bid. Must be that eBayla 'virus.'"
Dumb decision on eBay's part. If they decide not to allow JavaScript they won't PO that many customers, but the press over this virus sure will.
Bottom Line: This is just the beginning! I am sure we'll see much more code like this in the near future. No straightforward fix in sight! So better know the tools you are using!
Under capitalism man exploits man. Under communism it's the other way around.
eBay needs to be taken out and beaten severely for not taking this threat seriously. The potential for serious exploitation is huge, and I can't believe they're taking the stand that this is a minor challenge that won't affect most people.
Amongst the "cute" ideas I've read about below (that all seem immediately technically and socially possible):
- Virus idea. Take each login/pw pair and introduce new JavaScript bids that spread further.
- Redirection. No reason you can't take someone away from eBay, put up a "duplicate" site that requests credit-card info. Very few users regularly check their current address or security information, especially with a "well-known" site like eBay.
- Bid stealing. Immediately send information about bids to a third-party, which can be used to drive up the price to the maximum any user is willing to bid.
- Bid modification. Change all bids and triple the submitted price. With eBay's anal standards about bid-retrieval, this could be a major hassle.
Sheer stupidity. Whoever is in charge of their public relations/technical departments REALLY dropped the ball today (and whenever they decided that JavaScript was somehow necessary and acceptable in auction descriptions).
eBay needs to be taken out and beaten severely for not taking this threat seriously. The potential for serious exploitation is huge, and I can't believe they're taking the stand that this is a minor challenge that won't affect most people.
Amongst the "cute" ideas I've read about below (that all seem immediately technically and socially possible):
- Virus idea. Take each login/pw pair and introduce new JavaScript bids that spread further.
- Redirection. No reason you can't take someone away from eBay, put up a "duplicate" site that requests credit-card info. Very few users regularly check their current address or security information, especially with a "well-known" site like eBay.
- Bid stealing. Immediately send information about bids to a third-party, which can be used to drive up the price to the maximum any user is willing to bid.
- Bid modification. Change all bids and triple the submitted price. With eBay's anal standards about bid-retrieval, this could be a major hassle.
Sheer stupidity. Whoever is in charge of their public relations/technical departments REALLY dropped the ball today (and whenever they decided that JavaScript was somehow necessary and acceptable in auction descriptions).
I'm not suprised by eBay's reaction. It seems to me that most major corporations are in denial when it comes to security holes in thier products.
I guess it just means they have to spend money to fix it that they could otherwise channel to thier already swollen profits.
-- May the Source be with you --
I'm surprised that they are allowed to use "Java" in the name of it. Wouldn't that be some kind of trademart infringement?
Hi, this is blue_adept, the
creator of the ebayla bug. I noticed
that the only link mentioned in the article
is to http://tbtf.com. That site updates itself daily... a static source of information on the bug is http://www.because-we-can.com
"Is this just useless, or is it expensive as well?"
Hey AC- you have what version Netscape? I'm running "Communicator 4.06" and I KNOW I can turn off Javascript- it's definitely OFF. There are a few sites that crash my Netscape (it just shuts down very abruptly) with Javascript on. It's a total waste of time anyway.
I totally agree with the above AC comments- JavaScript is crap. If you, as a web developer, can't figure out how to do a useful, efficient page without it, the McDonald's near me needs you.
:)
Forget all the arguing- the very existance of a JavaScript virus that can cause ANY kind of damage or problem, PROVES that JavaScript is NOT secure, and is useless crap anyway.
I've NEVER seen a need or reason to use it.
You probably love those infernal, stupid, waste of 'net bandwidth background images that just make reading a major eyesore. I hope people start suing web developers who use busy background images for carpal tunnel retina.
I bet you also use lots of equally stupid moving gifs. Whoever invented them should be put in stocks until 2030.
I keep images off, Java off, and JavaScript off, and I'm a much happier surfer.
Are you suggesting their web staff might be technologically impaired? Like maybe morons or something? So far, in my experience, I see a 1:1 correspondence between a serious lack of technical brainpower and choosing NT.