ABSOLUTELY UN-FREAKING-BELIEVABLE ebay member nip0664 gets SCAMMED, thanks to ebay LiveHelp rep “Shena R.” , and the management for allowing dangerous xss redirect flaw to exist for over 1 year. Just go to the thread and read all about IT yourselves, before IT disappears.

help with frau?!!!!!!!!!!!!!

The thread is locked.

Flaw info: http://www.kb.cert.org/vuls/id/808921

Edit 07-26-07. The thread has now dropped from the ebay forums. Here is a screenshot of the entire thread from Google cache


Updating now. There is more.

Following the same search term from a cappnonymous video I posted the info at, we see a very interesting thread “Live Help chat question“, wherein it seems that one poster feels that the LiveHelp Link has been hacked apparently:

These are the words of a Romanian scammer.”

(referring to “Shena R.”, then points out grammatical errors in support of his/her belief.)
ebay sucks donkey balls. I have proof

So has ebaY LiveHelp been hacked?

No reason to believe not, others in the original thread felt so also.

EDIT – Update 07-26-07

Screenshot of entire thread “Live Help Chat Question” from google, as the original thread has now dropped from the boards at ebay.

BTW, this made it to video, over on youtube:

ebaY LiveHelp Gives Official Blessing to Obvious Scam! OMFG

also, there are over 60 other examples of ebay being hacked, including this capture of the live redirect in action:

EbaY HACKED LIVE! XSS JavaScript Redirect Exploit Flaw Hack

So while everyone wants to play down or ignore the porn on ebay, there looms a more sinister problem, a more obvious problem. That problem is the redirect. The redirect cross-scripting flaw which ebay has ignored for well over a full year now. Possibly even longer.

Let me again refer readers to “eBay’s phishy old problem“, wherein it is writtten:

Robert Schifreen (security expert and author of Defeating the Hacker) said: “If eBay allows [these] tags within item descriptions, it would appear to me that they understand very little about the basic theory behind writing secure web-based applications.

“One of the golden rules is that you must strip out all html tags from user input, apart from a small subset containing any tags that you specifically want to allow (such as bold or italic text). Allowing users to publish their Javascript programs at will on eBay is asking for trouble, and linking to phishing sites is just the start of it.

“Claiming that it’s not a problem because links to phishing sites are quickly removed is, frankly, beyond belief for a high-profile site such as eBay. They should know better.”

Nigel Stanley, security practice leader at Bloor Research took no prisoners either. “eBay need a good kick up the backside for allowing such a vulnerability to persist on their site. The very nature of consumer auction sites means that many inexperienced and naïve users will be spending a lot of money on goods believing that they are safe and secure. If this was a two-bit outfit I may give them the benefit of the doubt, but eBay should know better.”

Lastly, let us not now overlook the fact that the hackers are full aware that using the redirect in any auction works just as well as, maybe better than porn.

Do you feel safe? Is IT worth the hassle?

There are many other, more safe and trustworthy places to conduct your business. Please consider the facts before you buy or sell anything online.

read more | digg story