vulnerablity


Uploaded by on Sep 21, 2011

We show how BEAST exploits a weakness in SSL to decrypt secret cookies.

Not surprisingly, the cross scripting, xss,  and/or flash manipulation scam is alive and well on ebay, this time documented by a casual observer.  This has also been documented time and again by myself and others on Youtube BTW.

For those not aware, these ID stealing flaws, through careful research, have been shown to exist uncorrected on ebaY for as long as 11+ years now.

What’s even more alarming: you don’t need to actually sign in to any phake login page to have your credentials stolen, thanks to the cookie stealing variant of this hack.

Top that off with the fact that ebay’s own policy is to blame the user/victim.

Numerous comments at my youtube videos also indicate that victims are treated poorly and unprofessionally by ebaY’s customer service reps.

Important facts to consider when choosing online shopping or even surfing destinations.

 

Ebay scam redirect camper van

Uploaded by on Jun 8, 2011

hi, im not even a ebay member, but was looking at camper vans, if its to good to be true it probably is, dont be foolish and loose your details or money, thanks for watching. can you trust this site, i think not. thanks for watching. please remember if you do buy something like this you part with your money you will have no comeback, yes thats right, do your checks aa rac whatever, dont part with your money on the descriptions(important) alone on this site you could end up with a pile of poop. hpi only shows recorded accidents, not accidents repaired by other means, so get it checked. dont believe these lying scum.

 

Update: for whatever reason that video has been removed. Anyone wishing to see it can leave comment below and we shall make it available from the Mighty Cappnonymous Archives

Yet more cross scripting flaws discovered on PayPal site(s)…

From Softpedia, via xssed.com

Two security researchers have independently identified cross-site scripting vulnerabilities in PayPal’s mobile and sandbox websites over the weekend, which could have been exploited in phishing attacks.

The XSS weakness on the registration.sandbox.paypal.com website was discovered by a member of the Romanian Security Team (RST) outfit, who goes by the online nickname of Nemessis.

article continues…

One vulnerability is confirmed fixed.

Please take note who is researching and reporting, Romanian bashers…

This reminds me of another incident which happened a while back. Also, If you haven’t been paying attention, it’s been reported that several smartphones are vulnerable to MITM attacks

Romanian Detained Over eBay Cyber Fraud

Romanian detained over a $3 million cyber fraud against eBay Inc.

Very interesting article from abc news:

Romanian authorities have detained a man suspected of committing cyber fraud worth $3 million against the company eBay Inc.

Organized crime prosecutors say Liviu Mihail Concioiu is being investigated for “phishing” attacks against 3,000 of eBay Inc. employees.

They said Thursday that Concioiu allegedly stole the employees’ IDs and passwords in 2009 and accessed company files, including an application with the data base of eBay clients and their transactions. Concioiu then used “phishing” sites to access the accounts of about 1,200 eBay users.

It would appear the ebay database has been hacked, cracked, and zombied AGAIN.

(or is that still?)

Also notice how the term ‘phishing’ is constantly used.  ebaY doesn’t like the “H” word it seems. But “phishing” alone does not get you access to the files and data described. We call that “HACKING

rotflmao! Who could imagine?

It also tells us that ebay employees must not be too savvy if they are falling for whatever tricks are being used to gain the logins etc.

No mention of any response from ebay.

With IT’s long and repeated history of such events, you should ask yourself whether you trust this unsafe outfit with your personal and financial data?

Who could imagine?

The long uncorrected xss flaw rears it’s ugly head again!

Auctionbytes reporting that falle-internet.de has again discovered listings with the malicious coding, this time with a virus twist.

The most important and telling quote of the article:

“They used javascript and java to address a known vulnerability; user’s computers were affected by just viewing the respective listings,”

See that part about “…just viewing the respective listings…” ?

That is one of the main reasons I advocate avoiding ebaY at all costs. Another is that they BLAME the USER for their own failures! Furthermore, they refuse to correct the flaw! Make no mistake, ebaY is a dangerous, untrustworthy, and dishonest website. Of that there is proof beyond the slightest shadow of a doubt!

ebaY is HACKED! Yes! ebaY is still HACKED!!!

Here is the report, with screencapture images, in English at falle-internet

My research indicates this issue has been onging at ebaY for about 10 full years now. Perhaps not under the same name, but indeed cross-scripting has been exploited on ebaY since before it even had that name. Ebay has been aware of the issue for that long also.  Since looooong before the US-CERT warning was posted. Bear in mind there are many variants of this exploit possible to use. It’s been used also for the redirects, and for cookie-stealing etc. The possibilities are only limited by the hacker’s imagination and ebay’s steadfast refusal to secure it’s festered site

I’ll be posting another video demonstrating the +/- 10 year longevity of the xss flaw on ebaY before long at the Cappnonymous channel

Consumerist has a hilarious ebaY related article.

Scammers and/or hackers have set up fake ebaY customer service chat sites. They almost seem to be better than the real thing.

Reading the actual chat transcript it also would seem the scammer-hackers have some way into various parts of ebaY not accessible to the rest of us.  We’ve recently seen the hackers using ebaY APIs to authenticate ebaY logins, as seen in the redirect scam videos.

Furthermore, the real ebaY customer service reps have given very bad advice time and time again

However, as always, there is more to it. Recently Doc of ebaymotorssucks.com captured a segment on live screenrecorded video concerning the same or very similar issue. He also uncovered quite a few bogus ebay live help and/or ebay livechat and associated  look-alike domain names.

Oh but wait! There’s even more!

That’s right! You see, livechat.ebay.com has had an uncorrected xss flaw since at least October 2007.

No wonder ebaY hides the link for livehelp so well. roflmao!

So again, remember, the entire ebaY-Paypal universe is WRITHING and CRAWLING with pure FRAUD and should be avoided at all costs!

BTW, In case anyone was wondering, YES, the ‘real’ ebaY customer service is a robot, or bot:

I AM DONE WITH EBAY ~ Robots with fake names!

We don't need no stinking badges! LOL!

This is scary stuff while simultaneously a bit amusing.

“That little lock on your browser window indicating you are communicating securely with your bank or e-mail account may not always mean what you think its means.

Normally when a user visits a secure website, such as Bank of America, Gmail, PayPal or eBay, the browser examines the website’s certificate to verify its authenticity.

At a recent wiretapping convention however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds designed to intercept those communications, without breaking the encryption, by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate  from any one of more than 100 trusted Certificate Authorities.

The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.

The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, according to leading encryption expert Matt Blaze, a computer science professor at University of Pennsylvania.”

“If company is selling this to law enforcement and the intelligence community, it is not that large a leap to conclude that other, more malicious people have worked out the details of how to exploit this,” Blaze said.

The company in question is known as Packet Forensics, which advertised its new Man-In-The-Middle capabilities in a brochure handed out at the Intelligent Support Systems (ISS) conference, a Washington DC wiretapping convention that typically bans the press. Soghoian attended the convention, notoriously capturing a Sprint manager bragging about the huge volumes of surveillance requests it processes for the government.

According to the flyer: “Users have the ability to import a copy of any legitimate key they obtain (potentially by court order) or they can generate ‘look-alike’ keys designed to give the subject a false sense of confidence in its authenticity.” The product is recommended to government investigators, saying “IP communication dictates the need to examine encrypted traffic at will” and “Your investigative staff will collect its best evidence while users are lulled into a false sense of security afforded by web, e-mail or VOIP encryption.”

Here is a comedy highlight:
“VeriSign, the largest Certificate Authority, declined to comment.”

Looks like SSL is shot to hell.

Read the entire article. Follow the links there. lol

Law Enforcement Appliance Subverts SSL

Next Page »