The dreaded XSRF cross site request forgery exploit is still uncorrected on ebaY. That means extreme risk to both ebay and Paypal users.




Let’s begin way back in 1999. This phylum of flaws (cross-site/scripting) has existed on ebay since before there were terms coined for it. I produced a quick & dirty video outlining not only that, but how ebay sought to make a public relations play by announcing the removal of sellers’ ability to use active scripting elements in the user generated content of ebay listings, then quietly reversed the decision, and buried that news on a backwater blog. You can cut to the quick  by clicking the more info area of the video and following the links.


Moving forward.


We blogged this vulnerability back in September. Yet if you follow the links there, you see the flaw actually existed for 3 years.



Now to the present day…


John Pluhowski_Paypal_BML_sock_puppets_200

When the Haggler asked the eBay spokesman John Pluhowski for the name of the PayPal spokesman and the Bill Me Later spokesman, he offered one name: John Pluhowski.



Does ebaY look like a good place to buy, sell, shop, browse, or even surf?

(caution, strong language)


Published on Mar 11, 2013

This is not for the faint of heart

The perpetrator's pals and business buddies

Another stunning example of why to never, ever use ebay and paypal!

A Boise, Idaho man has been caught and arrested for scamming on ebaY, using 400, that’s right,  400 fake Paypal accounts!


Once again I’ve stumbled upon a site where fake Paypal accounts are being sold. This time on the not so secret or hidden “hidden services” of the Tor Network.

Tor is a privacy and/or anonymity oriented software/browsing project, which has many legitimate uses. But like all things it can be used for other purposes too.

Fake Paypal accounts have been found and exposed so many times now it boggles the mind. Not only have I found them as far back as 2008, but so has Doc of, auctionbytes, and krebsonsecurity to name a few. You can see even more here.

This is truly a perennial problem, and an entire sleazy industry. A problem which Paypal seems to deal with best by penalizing and abusing innocent, legitimate users.

The website is located at:


which I believe you can only access via Tor.

The PayPal Store Home Page

When you click on “about” you are presented with this text:

Hello and welcome to the PayPal Store. Here you may purchase clean/hacked USA PayPal accounts, to use for online/offline black hat activities, etc.

Each purchase comes with a US PayPal account along with the associated e-mail account, fake identity of the PayPal’s “owner”, and optionally a VPN (for extra money). See Prices page for products.

Owning a fake PayPal is a must for black hats, e-whorers, scammers, money laundering, etc. These accounts are newly-created and have never been used, (no balance, etc., not including hacked accounts) and, if used correctly, should never become limited.

The Paypal Store About

The site also has an FAQ page:

The Paypal Store FAQ

The the pricing page, where the payment options are shown as Bitcoin and Liberty Reserve:

The Paypal Store Prices

There’s also contact page with a huge smile image and an email address. I’m not going to show that here.

One thing I’d like to point out here is that I’m not advertising for this website or service. I advise people to NOT get involved with such things. There’s no way of knowing who is on the other end or what you are actually supporting.

If you follow the news, then you know recently there was some sort of international drug bust of cyber-dope dealers. So it’s not out of the realm of possibility this site could be a sting operation of some sort

I’m not looking to start any conflict with users or owners of the site/service either. The purpose here is to alert legitimate PayPal users as to the risks involved as well as the utter dishonesty and hypocrisy when it comes to PayPal, their policies, practices etc.

Do I need to go on and describe PayPal pompous stance on security, or their lackadaisical policy enforcement/application? I could just mention a few things like Wikileaks, the Regretsy kids, constant violations of State Money Transmitter License terms, the current Zimmerman fundraising fiasco, recent articles from The Haggler

Add to that the recent spurt of Paypal employee personal issues: They’ve had 2, count them two people commit suicide, and one get arrested for raping a 13 year old girl. All these things combined certainly don’t instill a sense of well-being to users, and seem to hint at deep dark troubles imo.

You get the idea. I could go on and on about the world’s “most loved”.

I’d like to point out again that the biggest risks involved are in the Paypal User Agreement, (a special arrangement of weasel words longer than Shakespeare’s Hamlet) in that they do NOT guarantee the identity of your trading partner, nor that any transaction will actually be fulfilled, they can (and will) lock your account, seize your funds without having to disclose any reason why. Top that all off with the key phrase “THE PAYPAL SERVICES ARE PROVIDED “AS IS” AND WITHOUT ANY REPRESENTATION OF WARRANTY”

I still advise to steer clear of PayPal (and ebaY too for that matter)

If you have an account, close it down before you fall victim of this unsafe, untrustworthy, scandalous  outfit.

A curious post appeared on ebaY’s Seller Central forum recently by a person representing himself to be John Delson, an ebaY employee with the Seller Development dept. Needless to say, it was quickly removed..

Auctionbytes  posted a blog regarding the issue, (where the same John Delson  person chimes in again in the comments area BTW). Ebay spokespeople issued staunch denials both there and at a board upgrade forum at ebay community forums.

Before you acknowledge or discount this as a legit message from alleged ebay employee John Delson, please consider the infamous ‘memo’ from 2008 and note how many of the things mentioned there came to pass, as well as how many similar things were then mentioned.

Here is a full page screencapture of the cached google page from that thread, reduced to 640 pixels (opens in a new tab or window).

Now the full text preserved from that cached page.

message from (former) eBay employee

Aug 24, 2011 01:20 PM

  • Reply

This is John Delson, an employee for eBay, Inc.

I know this will get me fired, but I am walking out today, so it does not matter anymore.

I work in the Seller Development department .

This department handles the future of how eBay members list, how they sell, what they sell, detailed seller ratings, feedback, etc.

Just about anything you do with selling is regulated with this department.

I’ve been with eBay for over 9 years, and I am one of the longest working employees in this department.Many others have left, or have been terminated, due to being “lenient towards sellers”.

Anyway, I want to bring up some key points that were discussed at the last “work shop”.

This workshop meets for about one hour on every Wednesday. This work shop consists of several “upper level” eBay employees, and from time to time, John Donahoe, president of eBay, will stop in to make sure everything is “up to snuff” (as he puts it).

Anyway, after all the wrong doing eBay has done to sellers, what was discussed today was the final “straw that broke the camel’s back”, after posting this, I’m walking out after 9 years of putting up with eBay’s unfairness to sellers, non sense, often immoral (bordering illegal) policies that I personally have had to develop and implement into the eBay website.

The upcoming event, will be the final “nail in the coffin” for many eBay sellers, however I want to get this out here ahead of time, so you can prepare for it. This was actually going to be announced one week before being put into place.

 On October 1st, 2011, eBay, Inc, on ALL eBay country locations (, .jp, .com, etc) will be ending the auction listing format.

After October 1st, 2011, all auctions will cease to exist on eBay, in favor of Donahoe’s plan (more on this later).

 As you many know, we at eBay implemented a 9% final value fee on shipping costs.

Our official statement was released to the public stating it was done to prevent excessive shipping charges.

In reality, eBay was suffering profit losses, and this fee was a must in order to keep a positive income.

We understood that this would make a few sellers upset, this is why we also announced a new fee structure, and gave sellers 50 free auction listings.

This was done in order to keep our company looking untarnished for investors of eBay shares. We wanted to make more money from sellers, but keep them on here at the same time.

 Many of you may wonder why eBay allowed numerous sellers from China to list on the website.

 We did this because:

-. Not only can buyers from china purchase things from eBay China, buyers can now purchase things from china all over the world. China is a largest seller, and allowing them more search exposure would increase our fee income, and increase our GMV.

 – It undersells sellers from other countries, and allows China to be the leader in sells for eBay.

 Now you may be wondering why John Donahoe wants to get rid of auction format.

Here are some of the reasons that were mentioned at today’s workshop:

 – When buyers bid, they are not purchasing unless they win.

– The more buyers purchasing, the higher our fee profit is from sales.

– Time wasted bidding, is time that could be used for buying.

So there you have it, from the words of John Donahoe himself.

 There will be another update released in February 22nd, 2012, that will get rid of small and medium volume sales.

 eBay is tired of small sellers, because:

 -They can’t self sustain themselves, and tie up our customer support system.

– They often list junk, we don’t want to look like a flea market.

– They make us fees, but not enough for it to be worth them on our trading platform, due to all the issues they have.

 On February 22nd, any one selling on the eBay website, will have to have at least 7,500 items in stock and ready for shipment.

-This number may increase.

– Sellers will have to submit proof of inventory, any documents proving they own the inventory, and (maybe) pictures of inventory.

– This will not apply to sellers who currently sell at least 5,000 items a month, since their selling volume is generally enough to satisfy our per-seller fee goal.

 Well, that’s all I have to say, its been a unpleasant 9 years at eBay, and I hope all sellers reading this will take proper measures to ensure their success on eBay.

 Thank you for your time, and good bye:

John Delson

Employee, eBay, Inc.

Sellers Development Department.

Oh my!

May be just a simple embarrassment to paypal, but it's a ri$k for you

While not too many people seem to be noticing, the fact is that @PayPalUK has been hacked yet again! You may notice their page is suspended. (again)

That makes for twice in one week! Full-sized screencaptures were made by Docklandsboy, also screencap and blog by confirming.

You may notice the hacker states that usernames and passwords have been gleaned and will be dumped.

Do you really trust these paypal clowns, who can't even secure a twitter account with your money and info?

I don’t see anything resembling an official response from Paypal. But for anyone paying attention, covering up things like this (and much worse) are one of paypal’s special talents. Don’t expect them to make a peep about it unless this hits major publications.

Close your accounts now!

Update 07.10.2011

I’ve found something resembling an official statement at Huffingtonpost’s 7 top tweets of the week

The Twitter handle for PayPal’s U.K. branch was apparently hacked on Tuesday. For several house, the feed tweeted out links to an anti-PayPal website and featured highly critical statements about PayPal. The company confirmed the hack, and Twitter suspended the account the same day. As of Sunday evening, the feed remains offline.

It would seem that Paypal is going to try to skim over the second hack job.

Not surprising.  The truth to Paypal is much like  sunlight to a vampire.

Just in case you want to see it, here is a screencapture of twitter page on July 6th 2011 at around 5:36 AM Pacific time, USA, which as you can see from the comments, was after the first hack attack, and before the second one. So, NO, again, the account did not ‘remain offline’. It was hacked a second time!

Next Page »