ABSOLUTELY UN-FREAKING-BELIEVABLE ebay member nip0664 gets SCAMMED, thanks to ebay LiveHelp rep “Shena R.” , and the management for allowing dangerous xss redirect flaw to exist for over 1 year. Just go to the thread and read all about IT yourselves, before IT disappears.
The thread is locked.
Flaw info: http://www.kb.cert.org/vuls/id/808921
Updating now. There is more.
Following the same search term from a cappnonymous video I posted the info at, we see a very interesting thread “Live Help chat question“, wherein it seems that one poster feels that the LiveHelp Link has been hacked apparently:
“These are the words of a Romanian scammer.”
So has ebaY LiveHelp been hacked?
No reason to believe not, others in the original thread felt so also.
EDIT – Update 07-26-07
BTW, this made it to video, over on youtube:
also, there are over 60 other examples of ebay being hacked, including this capture of the live redirect in action:
So while everyone wants to play down or ignore the porn on ebay, there looms a more sinister problem, a more obvious problem. That problem is the redirect. The redirect cross-scripting flaw which ebay has ignored for well over a full year now. Possibly even longer.
Let me again refer readers to “eBay’s phishy old problem“, wherein it is writtten:
Robert Schifreen (security expert and author of Defeating the Hacker) said: “If eBay allows [these] tags within item descriptions, it would appear to me that they understand very little about the basic theory behind writing secure web-based applications.
“Claiming that it’s not a problem because links to phishing sites are quickly removed is, frankly, beyond belief for a high-profile site such as eBay. They should know better.”
Nigel Stanley, security practice leader at Bloor Research took no prisoners either. “eBay need a good kick up the backside for allowing such a vulnerability to persist on their site. The very nature of consumer auction sites means that many inexperienced and naïve users will be spending a lot of money on goods believing that they are safe and secure. If this was a two-bit outfit I may give them the benefit of the doubt, but eBay should know better.”
Lastly, let us not now overlook the fact that the hackers are full aware that using the redirect in any auction works just as well as, maybe better than porn.
Do you feel safe? Is IT worth the hassle?
There are many other, more safe and trustworthy places to conduct your business. Please consider the facts before you buy or sell anything online.