Comment Reg Developer recently published a story about listings on eBay that point users to phishing sites. We thought we'd uncovered a new security issue on eBay, but it turns out we were wrong.
Not wrong about the security issue, there certainly is one. Our error was in assuming that it was new and/or that eBay didn't know about it.
Starting from some leads provided by you lot, we have found out that this issue has been well-documented for at least a year.
For example, it is described in a US-CERT vulnerability note dated 02/05/2006, which says: "eBay is a popular auction website. When an eBay user posts an auction, eBay allows SCRIPT tags to be included in the auction description. This creates a cross-site scripting vulnerability in the eBay website."
So the root of the problem is that users are allowed to post active code and active code can be used for malicious purposes.
What can eBay do? Well, if it chose to, it could restrict the HTML that users post to its site. This could have two effects, depending on what restrictions the company enforced: 1) it could ensure that the listing was rendered perfectly safe for other users, or 2) it could restrict the dynamic content that some perfectly legitimate users like to post.
So eBay has to strike a balance between security for its users and the functionality it offers them.
Over a year ago eBay apparently made a conscious decision not to restrict the HTML in this way. In an interview in March 2006, an eBay spokeswoman, Catherine England, is quoted as saying:
"Our sellers really use the dynamic content aspect of our listings. The benefits overwhelmingly outweigh the red skin that we have gotten.
"By the time something gets up there, we're usually so quick to get it and pull it down that it is really a moot point. We feel that it is not a huge concern or issue - it is miniscule."
As we found two weeks ago, "quick" can equate to more than two hours. There is evidence on eBay's own Trust and Safety community board, (here and here), that a malicious listing can stay up for considerably longer than two hours.
These are well worth reading (thanks to Reg Dev reader Lee Berkovits for them). A week may be a long time in politics. On the web even two hours is more than enough time for multiple listings to phish multiple identities.
Do a few identity thefts really matter? They don't seem too bad if you believe that most phishers are school kids in bedrooms trying to steal an eBay identity so they can buy a bigger Wii than their mate's. Sadly, as The Register has shown (here and here), all too often organised crime is behind modern phishing expeditions
So, while we agree there is a balance to be struck between security and functionality, we feel eBay has made the wrong decision and is exposing its users to an unacceptable degree of risk. The company, on the other hand, believes this is "not a huge concern or issue - it is miniscule". Ultimately, that is a matter of opinion, so we asked the opinion of a couple of industry experts in the field of security.
Robert Schifreen (security expert and author of Defeating the Hacker) said:"If eBay allows [these] tags within item descriptions, it would appear to me that they understand very little about the basic theory behind writing secure web-based applications.
"One of the golden rules is that you must strip out all html tags from user input, apart from a small subset containing any tags that you specifically want to allow (such as bold or italic text). Allowing users to publish their Javascript programs at will on eBay is asking for trouble, and linking to phishing sites is just the start of it.
"Claiming that it's not a problem because links to phishing sites are quickly removed is, frankly, beyond belief for a high-profile site such as eBay. They should know better."
Nigel Stanley, security practice leader at Bloor Research took no prisoners either. "eBay need a good kick up the backside for allowing such a vulnerability to persist on their site. The very nature of consumer auction sites means that many inexperienced and naļve users will be spending a lot of money on goods believing that they are safe and secure. If this was a two-bit outfit I may give them the benefit of the doubt, but eBay should know better."
So, it isn't just us then.
eBay's reply
We gave eBay the opportunity to reply to our concerns. This is what it said:
"Due to overwhelming demand from the eBay Community, we allow users to use active code in their listing. This enables them to use a number of tools which enhance the content of their listings. A small number of unscrupulous individuals have abused this opportunity to enter malicious code into their listings. In the rare instances where this occurs, it is typically detected by eBay and we've worked swiftly to remove them."
We can see the point, but we think the logic is weak. Of course users want better tools for producing more attractive listings. Whether it be software tools or fairground attractions, people always want bigger, better and faster. That's human nature. But they also have an expectation that the software/attraction will be safe and are justifiably upset when they find out it isn't.
As Jeff Goldblum says in The Lost World: Jurassic Park "Oooh! Ahhh! That's how it always starts. Then later there's running and screaming."
Now, starting from the very first link of the report, and continuing to the comments section we see this:
xxs flaw recorded on video
Posted Saturday 26th May 2007 11:03 GMT
Where have you been? That porn redirect, in various forms, has been present on ebay, and documented since around october or november of 2006.
look on a movie and photo hosting site called hidebehind, for movie with file name 46C8A8, there you will see a live naked lady redirect xxs auction from/on ebay, with the redirect and all, on Firefox browser 2.003
please note the above site is an adult site. If nudity and/or porn offends you do not visit or look for it.
That XSS flaw has been unrepaired and unacknowledged for at least over 1 whole year, possibly longer. (see US-CERT Vulnerability Note VU#808921)
Ahem... I posted that comment. I also made the video, posted it to hidebehind. I had originally posted the first report here at the 2nd from the top of this page
Where it says: (full story with screencaps and comments at link)
By Mark Whitehorn More by this author Published Friday 25th May 2007 22:38 GMT .... -----------------------
Oh, and one last thing here. There were more porno redirect listings earlier this evening. Those will be finding there way to a hosting site. Altogether, a thousand + easily have seen those vids so far. (There are three versions posted about the www) Glad at least one of them was probably a journalist.
Will sleazebay ever disallow the ability to include active scripting within the user controlled/added content of the listings?
By permitting active content in auction listings, eBay has made it childishly simple to post the javascript that would cause a distributed denial of service attack *on* *eBay's* *own* *servers*.
Obviously I won't post the code, but the script would install a browser helper object that silently and invisibly opened a browser window (MSIE for example) on eBay's own search engine, and then generated a search for a random string every few seconds.
Removing the auction would not stop the BHOs that had already been installed on unsuspecting eBayers' computers, and therefor would not stop the DDoS. And since eBay refuses to restrict active content, the malicious coder(s) could open lots more such "auctions" and infect many thousands more computers. Only by blocking the source IPs of the infected computers - and thus blocking their own customers from accessing eBay - could the DDoS be mitigated somewhat.
Frankly, I'm surprised it hasn't already been done.
----------------------
Now why do I have the feeling that is even more likely to occur ...now...?
Just bumping this so that anyone who clicks it sees the newly emphasized text up there. It seem that this story has been largely unacknowledged everywhere.
But the videos have not been. Those videos are getting more clicks than you could imagine. More will be uploaded tonight.