The dreaded XSRF cross site request forgery exploit is still uncorrected on ebaY. That means extreme risk to both ebay and Paypal users.

 

Preface:

 

Let’s begin way back in 1999. This phylum of flaws (cross-site/scripting) has existed on ebay since before there were terms coined for it. I produced a quick & dirty video outlining not only that, but how ebay sought to make a public relations play by announcing the removal of sellers’ ability to use active scripting elements in the user generated content of ebay listings, then quietly reversed the decision, and buried that news on a backwater blog. You can cut to the quick  by clicking the more info area of the video and following the links.

 

Moving forward.

 

We blogged this vulnerability back in September. Yet if you follow the links there, you see the flaw actually existed for 3 years.

 

 

Now to the present day…

(more…)

Published on Sep 16,
2013

eBay are currently vulnerable to XSRF –
allowing any other web site to alter your profile information and
gain access to your account.

Also very noteworthy, (more…)

ebay fake customer service scam

(more…)

There’s been a recent uptick of hacked, hijacked accounts on ebaY, and as usual they’re not doing too well protecting the community and certainly not the victims.

The modus operandi is the same as it has been for years; hackers gain control of an account and place images within the listing advising offsite transactions. Usually they will make everything look ‘official’ by purporting to be working with ebay’s protection department or similar phrases. This is also known as Account Take Over or ATO.

This weekend we have a some representative victims, one, anitahaveit2 (13383) is a shooting star level powerseller, the other gangsu2007 (111), a small seller. There could be any number of more victims and fraud listings. That’s one advantage of having 190 million + listings on the site. It makes the fraud harder for people to spot.

gangsu2007 eBay hacked

anitahaveit2 eBay hacked
Note the items listed on both the hijacked accounts are identical. Also note the image containing the bogus instructions in gangsu2007’s listings purport ebaY Buyer Protection. Rest assured if you fall for the scam, you will not be protected. Rather, ebay will make the listing vanish, claim it was never on their site, and that you conducted a transaction outside ebaY, and therefore you are not eligible for any protection.

(images open full size in 
new tab or window)

Now as to how the hackers gained access to the accounts, phishing or other similar trickery may possibly explain that, however, as has been continually pointed out, phishing does not explain how hackers are able to bypass the fraud filters, seller limits, limits for high fraud rate categories, dollar amount and/or brand name limits and a whole host of others, even secret ones, which the ebaY seller community has experienced.

So far as I can tell, there are only two plausible explanations for this long recurring phenomena; One, ebay is hacked, or two, the hackers have insider assistance. If anyone is aware of other possibilities, comments are open.

New victim p3

On ebaY’s Trust and Safety forum these incidents have been reported and it’s very telling. One thing which may escape the reporting parties is that they will likely be repaid for their efforts to protect the ebaY community or ebaY’s virtue with stalking, drive-by character assassination, various social engineering ploys or attempts (LoLz!) Perhaps even a DdoS attack should they happen to open any webpages exposing sleazebay. I’ve watched, and lived through many such events.

The very best course of action is to not complain to ebaY. Instead focus your effort upon persuading others to never use the site. Not ebaY, not Paypal, not any site owned by or connected to them.

But the fact remains that some of us have been warning and/or educating people for years- literally. The good shepard ebay is still sending it’s flock to the good butcher, and still doesn’t care to do anything but bury the fraud, belittle or harass those who dare expose them.

For those intent on staying even as the site is more unsafe now than ever before , guess someone should have listened, eh? Are you listening now?

You could learn alot from some dummies.

 

 

This ^ is for anyone who has ever criticized or exposed ebaY and felt their wrath.

Don’t worry.  We shall be Vindicated. ;p

Score another social media fail for ebaY, as ebaY India’s Official twitter account was hacked and an apparently inappropriate multi syllable phrase posted.

Ebay India issued a tweet with regards to the situation:

The exact nature of the phrase was completely lost in translation here,  however, twitter is abuzz with it.

Here’s the obligatory screencapture:

Twitter.com eBay India Official Twitter Handle Hacked Apology Tweet

See a full page screencapture of their original tweet (and replies to it)

We’ll show one fitting comedy reply here.

I’m wondering whether this may start a trend for 2013? LoLz!

If everyone remembers, there were the hilarious episodes when paypal.uk had their twitter account hacked, not once, but twice.

Signed First Run ESP Kirk Hammett Ouija

Click here to see the entire listing in a new tab or window.

munchkinscakes08_newest_20121209_480

I see the hackers are not sitting this Holiday season out. Last night I found that ebaY shooting star level seller munchkinscakes08 (40878) was hijacked, and some 300 or so fake listings placed into their seller’s list. This particular model guitar (if not identical photos etc) has long been a popular bait for the hijackers. You would think that ebaY would be on the lookout for it, eh?

Once again the items included high end goods across the panorama of musical instruments, sporting goods, electronics, industrial, collectibles and more. As I post this, their account shows one last obvious fraud listing for a camera lens.

Another thing to consider here is that the seller and others hijacked will likely receive invoices for items which ebaY knows full well were fraudulent.

How the hackers acquired the password to the account is one thing. How they can list all this  is high-fraud category [fake] merchandise is quite another. Thus I contend that ebaY is hacked!. Other sellers do not have the ability to list such items unfettered and unrestrained. The items were all added within about 20 minutes. Other sellers wishing to list in certain categories are subject to delays, additional verification etc.

Ebay enacted limits on sellers, along with the once highly touted “proactive fraud filters” from years past. Clearly the hijackers were able to bypass all those filters. As they always have been. Either ebaY is hacked or the hijackers have insider assistance. I can think of no other plausible conclusions. Can you?

The Modus Operandi is the same as observed in the past. The hijacker inserts an image with instructions and an email contact address for a quick deal. A deal which is always too good to be true. (Much like ebaY in general)

From there the scam can take any number of turns, such as a request to pay via fake, yet official looking ebaY invoices for payment through other money transmitter services, or even more troubling, payment requests to commercially sold fake paypal accounts. (paypal accounts which are in good standing, but registered to fake personae. Also known as “stealth” accounts)

Ebay will remove the item from their site, *poof*, then claim it never existed, and therefore the victim is not entitled to ebaY’s so-called “rock solid guarantee” of Buyer Protection.

click to enlarge images, open in new tab or window

embedded_image_showing_properties

After I made a few screencaptures, I searched the term for the Ouija guitar again and found more listed on other accounts. I also found other things which I had no idea the hackers would use as bait, nor of the value of the items, such as this vintage Barbie Doll listed on the account of ks3311

Vintage Barbie 2 Brunette Ponytail w VHTF 2 TM Stand

The more I searched the more I found. It was an ever increasing radius of fraudulent listings and hijacked sellers. Too much for one human being to keep up with. But it’s revealing that ebaY bots can invade the ebaY message system to detect supposed attempts to communicate about conducting transactions off ebay for rank and file ebaY members whom are engaged in the normal course of business,  but they cannot stop these listings.

There are many many more hijacked listings over there right now. My advice is to avoid ebaY and find somewhere else to do your Holiday (and other) shopping which doesn’t have these persistent [non] security issues.

I’ve documented these types of account take overs for literally years now. I can say there has been zero improvement regarding this issue since way back when. Click the youtube Cappnonymous channel link on the right to see more examples.

Update: 12-14-2012

It seems there must be some sort of zombie infestation with ebaY servers again, as undead hackers struck shooting star level sellers again. Yesterday’s victim was, … well they started the day as hankiesandmore, with feedback of 19058, and finished it as collectorsshopwithme. They still run the hankiesandmore store. I bet that was fun

hankiesandmore_musical Instruments_hijacked_20121213_ce_640 Here’s a couple screencaptures, one showing the element properties of the image embedded in the hijacked listings, the other is thier seller list from the Musical Instruments category. You’ll notice there is our same ol’  friend, the signed First Run ESP Kirk Hammett Ouija Guitar, very same images and all. LoL! How could ebay let that one get through so many times? You don’t need to be psychic to know.  ;p This was the hijackers embedded image within the lsting

One thing people need to understand is that ebaY is sending out invoices for these hijackings, despite the fact that they are full well aware the accounts were hacked/hijacked, and or taken over. They also use strongarm and unscrupulous methods to collect, or attempt to. Here is one such example:

Dec 13, 2012 06:49 AM

EBay stole money from me stating it was “seller fees” I’ve never sold anything on EBay. Took a month to have the funds returned (I’m still waiting.) and no less than 12h on the phone with EBay a truly horrid support experience. On the phone I was well assured by several people that since EBay was at fault the large over draft fees caused when they took the money from my account without my permission over drafted my account and bounced my bills. Now they write that they will not pay for the damage they caused by their theft of my funds. They said I need to have the bank return that amount. The bank didn’t do anything wrong, EBay over drafted the account. I suppose I will be eating all of the fees that EBay caused by stealing from me. Merry Christmas EBay, would you like to explain to my children that there will be far less under the tree this year because EBay stole from us.