Shoestring Theory » scammers http://shoestringtheory.com Currently documenting the house that is eating our lives, we will return to regularly scheduled programming in a couple of more months Sun, 11 Sep 2011 19:25:55 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 German group demonstrates security flaw in eBay http://shoestringtheory.com/2008/03/13/german-group-demonstrates-security-flaw-in-ebay/ http://shoestringtheory.com/2008/03/13/german-group-demonstrates-security-flaw-in-ebay/#comments Thu, 13 Mar 2008 21:29:58 +0000 thetheorist http://shoestringtheory.com/2008/03/13/german-group-demonstrates-security-flaw-in-ebay/ AuctionBytes has an in-depth piece up on a security vulnerability in how eBay handles scripts in auction pages. A German watchdog organization, Falle-Internet.de, demonstrated the exploit this week. The vulnerability allows scammers to capture a wealth of information about an eBay user that visits an auction with the malicious script in it:

By loading the auction into our browsers, with Javascript and Flash enabled, AuctionBytes was able to see the private information for our account on a separate website page set up by Falle-Internet.de. The information included IP, Name, address, eBay User ID, email address, Bank Routing number, the last 4 digits of our bank account number, the last four numbers of our credit card, and the credit card expiration date. The page also showed auctions that were being watched, as well as saved searches and favorite sellers.

eBay, of course, said they had tools in place to stop such activity…which didn’t stop Falle-Internet.de from proving that the exploit works with a live auction.

]]> http://shoestringtheory.com/2008/03/13/german-group-demonstrates-security-flaw-in-ebay/feed/ 0