AuctionBytes has an in-depth piece up on a security vulnerability in how eBay handles scripts in auction pages. A German watchdog organization, Falle-Internet.de, demonstrated the exploit this week. The vulnerability allows scammers to capture a wealth of information about an eBay user that visits an auction with the malicious script in it:
By loading the auction into our browsers, with Javascript and Flash enabled, AuctionBytes was able to see the private information for our account on a separate website page set up by Falle-Internet.de. The information included IP, Name, address, eBay User ID, email address, Bank Routing number, the last 4 digits of our bank account number, the last four numbers of our credit card, and the credit card expiration date. The page also showed auctions that were being watched, as well as saved searches and favorite sellers.
eBay, of course, said they had tools in place to stop such activity…which didn’t stop Falle-Internet.de from proving that the exploit works with a live auction.
Tags: eBay · fraud · phishing · scammersNo Comments - Create a string
0 responses so far ↓
There are no comments yet...Create a string by filling out the form.