Online Safety

The dreaded XSRF cross site request forgery exploit is still uncorrected on ebaY. That means extreme risk to both ebay and Paypal users.




Let’s begin way back in 1999. This phylum of flaws (cross-site/scripting) has existed on ebay since before there were terms coined for it. I produced a quick & dirty video outlining not only that, but how ebay sought to make a public relations play by announcing the removal of sellers’ ability to use active scripting elements in the user generated content of ebay listings, then quietly reversed the decision, and buried that news on a backwater blog. You can cut to the quick  by clicking the more info area of the video and following the links.


Moving forward.


We blogged this vulnerability back in September. Yet if you follow the links there, you see the flaw actually existed for 3 years.



Now to the present day…


Malicious software includes 48 trojan(s), 36 exploit(s).


Several days ago I noticed that Paypal was showing infected at Google’s Safe Browsing tool page.

Looking again I see that the problems seem to be getting worse. The amount of malware detected is up since the last time they visited.

What happened when Google visited this site?

Of the 3662 pages we tested on the site over the past 90 days, 48 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-04-22, and the last time suspicious content was found on this site was on 2013-04-05.

Malicious software includes 48 trojan(s), 36 exploit(s).


I had to look at ebay’s main page to see their latest re-release of the silly shopping Feed shizzlebleep.

I was greeted by this bogus “update your browser” warning. (yeah right, as if I would click to download anything from sleazebay, what? with it’s horrendous record for dropping malware, trojans, assorted expolits, drive-by downloads and all.)

Fake browser update notice on ebay main page

What’s more, I was on the very latest version of Firefox. I see others using up to date browsers are reporting the same.

Three jeers for the bay of bungling buffoons, and their pathetic partners, those paunchy poltroons at Paypal!

Avoid them both like the plague!

That’s right! Paypal wants your bank password.

Hilarious! This isn’t the first time we’ve seen this ridiculous situation.

This is nearly beyond words. The risk involved is obvious. I’ll begin with Paypal’s very own User Agreement. Paypal offers NO guarantee of anything!  Not against technical issues or glitches which may cause you loss, nor employee theft, hacking, etc. They do not guarantee the ID of any individual using their service, or that any transaction will be completed successfully.

They’ve also recently updated their User Agreement with more terms which frankly are fascist and well beyond bizarre. In short, they hold all the cards. There isn’t a thing in the world which would prevent them from draining your bank account on any pretext (or none at all) if you give them the password.

And if you think they won’t do that, you may want to think again. A quick web search or run through this blog will tell you that there are no lies too big, nor victims too small for our fiends at Paypal.

If anyone is wondering where the image came from, it was right here, where you can also see Paypal’s obvious yet disgusting little carnival of paid trolls and pettifoggers in action.

You’ll also see this there:

Here is what is stated in BOA online banking service agreement:

When you give someone your Online Banking ID and passcode, you are authorizing that person to use your service, and you are responsible for all transactions that person performs while using your service. All transactions that person performs, even those transactions you did not intend or want performed, are authorized transactions.

So before you fall for Paypal’s weasel words and tricks, check with your bank and their policies regarding sharing your password.

Don’t forget: Paypal is not a bank. Moreso, they are a shady, third rate money transmitter service with a long and storied reputation for dismal customer service, dishonesty, thumbing their nose at the rule of law and running roughshod over their users.

They are not to be trusted!

At the Technical Issues forum on ebaY there is a thread: Warning: Something’s Not Right Here! contains malware.

Here’s the pertinent text:

Never had this happen before, but I was looking at a list of listings for jackets and when I clicked on one of the auctions I got the below message. Now i’m paranoid

Warning: Something’s Not Right Here! contains malware. Your computer might catch a virus if you visit this site.Google has found malicious software may be installed onto your computer if you proceed. If you’ve visited this site in the past or you trust this site, it’s possible that it has just recently been compromised by a hacker. You should not proceed, and perhaps try again tomorrow or go somewhere else.We have already notified that we found malware on the site. For more about the problems found on, visit the Google…

(Followed by a long link of [snipped] gibberish text.)

Sure enough if you go to the link supplied there by the original poster, you’re met with a Reported Attack Site page. Click to enlarge, opens in new tab or window

ebay reported as attack site

This is hardly the first such warning for ebay. They’ve been showing malware, drive-by downloads, trojans and assorted exploits present on ebaY for a long time now at Google’s Safe Browsing page for At this very moment Google shows:

What is the current listing status for

This site is not currently listed as suspicious.

Part of this site was listed for suspicious activity 40 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 361401 pages we tested on the site over the past 90 days, 134 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-08-22, and the last time suspicious content was found on this site was on 2012-08-20.Malicious software includes 10 scripting exploit(s), 10 trojan(s).

Malicious software is hosted on 28 domain(s), including,,

37 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including,,

This site was hosted on 37 network(s) including AS11643 (EBAY), AS4436 (AS), AS20940 (AKAMAI).

I posted a short  video demonstrating this risk last fall. Since then there hasn’t been a single day that ebaY showed malware free.

Then there’s also the grandaddy of them all, the long uncorrected ID stealing xss flaw. Thirteen years now? roflmao!

Make no mistake, the risks along with the consequences are real. In short, if you even land on one wrong page at sleazebay, you’ll spend years cleaning up the mess.

Do you trust this outfit? How can anyone?

The only good reason to visit the ebay site is to close your account if you haven’t done so yet. Don’t forget, ebay’s stated policy is to blame the victims of fraud.


Readers here may want to see this

Not to surprising info posted over at

Active, hacked or phished Paypal accounts found for sale on yet more venues. For those not paying attention, there are entire sleazy industries surrounding all things ebaY & Paypal. This particular type has been exposed time and again.

Please don’t overlook the very real possibility they could all be insider fraud, as Paypal’s own documents show.

I say this because ebaY and PayPal  have been very quick and thorough to silence criticism and exposure of embarrassing facts, yet these highly fraudulent sites remain. EbaY allows as many accounts as a person wishes, and Paypal does little to nothing to verify people at the gate. Rather, they wait until funds are in one’s accounts, then seized, after the fact, under any number of false or invalid reasons, until you are “proven worthy“.

It’s pretty obvious that the members are being used to subsidize fraud and failure, and to cover PayPal’s losses, which are bourne of their very own lackwit policies and practices IMO.

The very best thing you can do is avoid PayPal and ebaY. Close both your ebay and Paypal accounts and do whatever you need to to be sure they cannot access both your bank accounts and credit cards.

Uploaded by on Sep 21, 2011

We show how BEAST exploits a weakness in SSL to decrypt secret cookies.

Next Page »