Shoestring Theory

Currently documenting the house that is eating our lives, we will return to regularly scheduled programming in a couple of more months

Shoestring Theory header image 2

German group demonstrates security flaw in eBay

March 13, 2008 at 3:29 pm by thetheorist

AuctionBytes has an in-depth piece up on a security vulnerability in how eBay handles scripts in auction pages. A German watchdog organization, Falle-Internet.de, demonstrated the exploit this week. The vulnerability allows scammers to capture a wealth of information about an eBay user that visits an auction with the malicious script in it:

By loading the auction into our browsers, with Javascript and Flash enabled, AuctionBytes was able to see the private information for our account on a separate website page set up by Falle-Internet.de. The information included IP, Name, address, eBay User ID, email address, Bank Routing number, the last 4 digits of our bank account number, the last four numbers of our credit card, and the credit card expiration date. The page also showed auctions that were being watched, as well as saved searches and favorite sellers.

eBay, of course, said they had tools in place to stop such activity…which didn’t stop Falle-Internet.de from proving that the exploit works with a live auction.

Tags:   · · · No Comments - Create a string

Leave A Comment

The Submit button may not be appearing or working correctly in IE6. I would suggest upgrading to IE7 or Firefox 2 for full functionality (I'm still looking for a solution to this if anyone knows one).

0 responses so far ↓

  • There are no comments yet...Create a string by filling out the form.