The dreaded XSRF cross site request forgery exploit is still uncorrected on ebaY. That means extreme risk to both ebay and Paypal users.

 

Preface:

 

Let’s begin way back in 1999. This phylum of flaws (cross-site/scripting) has existed on ebay since before there were terms coined for it. I produced a quick & dirty video outlining not only that, but how ebay sought to make a public relations play by announcing the removal of sellers’ ability to use active scripting elements in the user generated content of ebay listings, then quietly reversed the decision, and buried that news on a backwater blog. You can cut to the quick  by clicking the more info area of the video and following the links.

 

Moving forward.

 

We blogged this vulnerability back in September. Yet if you follow the links there, you see the flaw actually existed for 3 years.

 

 

Now to the present day…

(more…)

Published on Sep 16,
2013

eBay are currently vulnerable to XSRF –
allowing any other web site to alter your profile information and
gain access to your account.

Also very noteworthy, (more…)

There’s been a recent uptick of hacked, hijacked accounts on ebaY, and as usual they’re not doing too well protecting the community and certainly not the victims.

The modus operandi is the same as it has been for years; hackers gain control of an account and place images within the listing advising offsite transactions. Usually they will make everything look ‘official’ by purporting to be working with ebay’s protection department or similar phrases. This is also known as Account Take Over or ATO.

This weekend we have a some representative victims, one, anitahaveit2 (13383) is a shooting star level powerseller, the other gangsu2007 (111), a small seller. There could be any number of more victims and fraud listings. That’s one advantage of having 190 million + listings on the site. It makes the fraud harder for people to spot.

gangsu2007 eBay hacked

anitahaveit2 eBay hacked
Note the items listed on both the hijacked accounts are identical. Also note the image containing the bogus instructions in gangsu2007’s listings purport ebaY Buyer Protection. Rest assured if you fall for the scam, you will not be protected. Rather, ebay will make the listing vanish, claim it was never on their site, and that you conducted a transaction outside ebaY, and therefore you are not eligible for any protection.

(images open full size in 
new tab or window)

Now as to how the hackers gained access to the accounts, phishing or other similar trickery may possibly explain that, however, as has been continually pointed out, phishing does not explain how hackers are able to bypass the fraud filters, seller limits, limits for high fraud rate categories, dollar amount and/or brand name limits and a whole host of others, even secret ones, which the ebaY seller community has experienced.

So far as I can tell, there are only two plausible explanations for this long recurring phenomena; One, ebay is hacked, or two, the hackers have insider assistance. If anyone is aware of other possibilities, comments are open.

New victim p3

On ebaY’s Trust and Safety forum these incidents have been reported and it’s very telling. One thing which may escape the reporting parties is that they will likely be repaid for their efforts to protect the ebaY community or ebaY’s virtue with stalking, drive-by character assassination, various social engineering ploys or attempts (LoLz!) Perhaps even a DdoS attack should they happen to open any webpages exposing sleazebay. I’ve watched, and lived through many such events.

The very best course of action is to not complain to ebaY. Instead focus your effort upon persuading others to never use the site. Not ebaY, not Paypal, not any site owned by or connected to them.

But the fact remains that some of us have been warning and/or educating people for years- literally. The good shepard ebay is still sending it’s flock to the good butcher, and still doesn’t care to do anything but bury the fraud, belittle or harass those who dare expose them.

For those intent on staying even as the site is more unsafe now than ever before , guess someone should have listened, eh? Are you listening now?

You could learn alot from some dummies.

 

 

This ^ is for anyone who has ever criticized or exposed ebaY and felt their wrath.

Don’t worry.  We shall be Vindicated. ;p

Signed First Run ESP Kirk Hammett Ouija

Click here to see the entire listing in a new tab or window.

munchkinscakes08_newest_20121209_480

I see the hackers are not sitting this Holiday season out. Last night I found that ebaY shooting star level seller munchkinscakes08 (40878) was hijacked, and some 300 or so fake listings placed into their seller’s list. This particular model guitar (if not identical photos etc) has long been a popular bait for the hijackers. You would think that ebaY would be on the lookout for it, eh?

Once again the items included high end goods across the panorama of musical instruments, sporting goods, electronics, industrial, collectibles and more. As I post this, their account shows one last obvious fraud listing for a camera lens.

Another thing to consider here is that the seller and others hijacked will likely receive invoices for items which ebaY knows full well were fraudulent.

How the hackers acquired the password to the account is one thing. How they can list all this  is high-fraud category [fake] merchandise is quite another. Thus I contend that ebaY is hacked!. Other sellers do not have the ability to list such items unfettered and unrestrained. The items were all added within about 20 minutes. Other sellers wishing to list in certain categories are subject to delays, additional verification etc.

Ebay enacted limits on sellers, along with the once highly touted “proactive fraud filters” from years past. Clearly the hijackers were able to bypass all those filters. As they always have been. Either ebaY is hacked or the hijackers have insider assistance. I can think of no other plausible conclusions. Can you?

The Modus Operandi is the same as observed in the past. The hijacker inserts an image with instructions and an email contact address for a quick deal. A deal which is always too good to be true. (Much like ebaY in general)

From there the scam can take any number of turns, such as a request to pay via fake, yet official looking ebaY invoices for payment through other money transmitter services, or even more troubling, payment requests to commercially sold fake paypal accounts. (paypal accounts which are in good standing, but registered to fake personae. Also known as “stealth” accounts)

Ebay will remove the item from their site, *poof*, then claim it never existed, and therefore the victim is not entitled to ebaY’s so-called “rock solid guarantee” of Buyer Protection.

click to enlarge images, open in new tab or window

embedded_image_showing_properties

After I made a few screencaptures, I searched the term for the Ouija guitar again and found more listed on other accounts. I also found other things which I had no idea the hackers would use as bait, nor of the value of the items, such as this vintage Barbie Doll listed on the account of ks3311

Vintage Barbie 2 Brunette Ponytail w VHTF 2 TM Stand

The more I searched the more I found. It was an ever increasing radius of fraudulent listings and hijacked sellers. Too much for one human being to keep up with. But it’s revealing that ebaY bots can invade the ebaY message system to detect supposed attempts to communicate about conducting transactions off ebay for rank and file ebaY members whom are engaged in the normal course of business,  but they cannot stop these listings.

There are many many more hijacked listings over there right now. My advice is to avoid ebaY and find somewhere else to do your Holiday (and other) shopping which doesn’t have these persistent [non] security issues.

I’ve documented these types of account take overs for literally years now. I can say there has been zero improvement regarding this issue since way back when. Click the youtube Cappnonymous channel link on the right to see more examples.

Update: 12-14-2012

It seems there must be some sort of zombie infestation with ebaY servers again, as undead hackers struck shooting star level sellers again. Yesterday’s victim was, … well they started the day as hankiesandmore, with feedback of 19058, and finished it as collectorsshopwithme. They still run the hankiesandmore store. I bet that was fun

hankiesandmore_musical Instruments_hijacked_20121213_ce_640 Here’s a couple screencaptures, one showing the element properties of the image embedded in the hijacked listings, the other is thier seller list from the Musical Instruments category. You’ll notice there is our same ol’  friend, the signed First Run ESP Kirk Hammett Ouija Guitar, very same images and all. LoL! How could ebay let that one get through so many times? You don’t need to be psychic to know.  ;p This was the hijackers embedded image within the lsting

One thing people need to understand is that ebaY is sending out invoices for these hijackings, despite the fact that they are full well aware the accounts were hacked/hijacked, and or taken over. They also use strongarm and unscrupulous methods to collect, or attempt to. Here is one such example:

Dec 13, 2012 06:49 AM

EBay stole money from me stating it was “seller fees” I’ve never sold anything on EBay. Took a month to have the funds returned (I’m still waiting.) and no less than 12h on the phone with EBay a truly horrid support experience. On the phone I was well assured by several people that since EBay was at fault the large over draft fees caused when they took the money from my account without my permission over drafted my account and bounced my bills. Now they write that they will not pay for the damage they caused by their theft of my funds. They said I need to have the bank return that amount. The bank didn’t do anything wrong, EBay over drafted the account. I suppose I will be eating all of the fees that EBay caused by stealing from me. Merry Christmas EBay, would you like to explain to my children that there will be far less under the tree this year because EBay stole from us.

Over last weekend, November 28, 2010, a rather large ebaY powerseller, pugster888 a TRS (Top Rated Seller)  had their account taken over and anywhere between around 57,000 to 70,000 (or more) fake high-end listings uploaded rapidly. The listings all contained an image of text urging would-be purchasers to contact the ‘seller’ at an off ebaY email address, a familiar MO.

(click the images for full page, reduced size views)

Pure pugster pwnage! ;p

Above: There were many many more listings than this. I did not have time to sit around and watch.

Below: One of the dozens if not hundreds of listings for this particular piano.

Incredible Deals! Brand New! Free Shipping! ebaY Buyer Protection!;p

For those not following along, this sort of thing has happened too many times to recount them all here. Literally for years now. Yet ebaY refers to these events as isolated cases.

Of course the first things which jump right out regarding this time is the stature, feedback level, and longevity of the seller/victim,

Screencaps here show the rate at which these listings were pumped in. Note the amounts of listings inserted per minute, as the search terms are ‘newly listed’, and the search modifiers set to not show the seller’s legit items.

Note the time on the above screencap showing 56,985 fake listings. (7:23 AM)
Here is the scene at 4:51 AM, with 27,833 results/listings.

ebaY is Hacked, cracked, modbotted and zombied! ;p

That’s 29,152 fake listings in high fraud rate categories in about 2 1/2 hours time.

Legit sellers do not have that ability with such items. There is a delay of several hours before items become visible on the site when listing items in certain ‘high fraud’ categories. ebaY at one time touted them as “fraud filters“, the magical new weapon to building site trust and platform safety after our friend Vladuz reamed ebay. That is indicative of “hacking” as opposed to simple “account take over” (ATO) or ‘phishing’.

I’m curious to know whether ebaY would blame them for giving away their passwords? Or accuse pugster888 of falling victim to phishing attacks and getting their database hacked, as ebaY and it’s employees have?

Would the seller/victim admit they fell for a phishing or spearphishing ploy? Is this just another firm indication that the troubles at ebaY are much deeper and darker than most are aware?

I never examined the listings for the presence of any malware or dubious scripting etc, but it would be a reasonable assumption they may have also carried an additional payload of some type. The hackers everywhere are more crafty and sophisticated than ever. The ‘blended threat‘ is more commonplace.

True to their Orwellian form, ebaY’s censors slithered out, and then back into the memory hole, taking with them ebaY forums threads regarding the event. Note the number 70K mentioned.

Finally, there were more victims with very similar listings: shakyahandicraft and 290401 (another TRS) to name a couple.
screencap of 290401 item
screencap of shakyahandicraft seller list

Over at the CAPP forum as well as on youtube, I have a more recent scams/hacking/hijackings and victims documented.

Regardless of whatever ebaY’s Minitrue department may claim, these events and worse are very commonplace.

Does ebaY seem like a safe, trustworthy, and/or honest platform to buy, sell or surf on?

Original link was deprecated. Cut to the quick right here:

Paypal Data Leaks ebaY Compromised Accounts Consumer Alert!

or keep reading if you want to learn a few things.  You will.

Update May 2010:

If you are reading this you probably got here by searching something like “has ebay ever been hacked?” or ebay database hacked maybe.

The answer is a resounding YES!

All the proof you need is on my youtube channel and my other blog. Of particular importance is this post with video and screencapture.

Don’t overlook the main page and archive right here either for continuing and recent examples. The hack attacks and uncorrected critical safety flaws have now been ongoing for 3 or more years.

As for Paypal having been hacked to the gills and how they handled things, read these carefully:

Netcraft: PayPal Security Flaw allows Identity Theft

Responsible Disclosure? – Paypal vulnerable for two years

Those are just a couple examples. Click the main page ,search or usetopic tags for plenty more.

end update

Before we start, there is another HUGE problem with ebay, lists of persons account info being compromised, and hijacked accounts, taking place on the ebay Germany boards, but MANY of the accounts are from the USA.

Be sure to read this, and warn your friends, family, neighbors and co-workers… EbaY has MAJOR security issues.

It is a very dangerous site these days.

“The List — ebay has been hacked in a major way” back from the Memory Hole

Above a slideshow, below the entire text.

This is what ebay does not want consumers to know about.

The information which would have protected ebay’s users.

Does this sort of action (censorship and the further concealment/destruction of info) seem dishonest to anyone other than me?

First, related news articles and forum threads.
Vendor Security Lapse Has eBay Sellers Fuming

Vendor Security Lapse Has eBay Sellers Fuming

Vladuz, Ebay, and the 1200 Compromised IDs

Is Vladuz the Good Guy?

Once again, it sure seems as though there were a whole bunch more articles than this, but along the way, stop and watch the videos. I have made more videos about the dark dealings, and so have others, about ebay and paypal both.

Note some of the responses given though. Who are the people with the naysaying denial?

Why is there a core group of “ebay can do no wrong” presence, constantly on those forums over there?

How many other folks have you ever heard about ready to freely, out of pure sense of chivalry, defend large, international multi-billion dollar corporations free of charge, strictly volunteering, as a pastime, day in, day out, mondays, holidays, rainy days, on vacationtime, weekends, all day, all night, all afternoon, for year after year after year…?

Do they work for LiveWorld, ebay’s named forum moderation provider?

Recently, the FTC moved to unmask Word-of-mouth Advertising.

Should shills on message boards, and other, similar Fake Persuaders be dispensing non-factual, dishonest, and biased for profit, information which has great potential to harm to consumers, and indeed has caused untold problems, if not abject hardship, for the victims of this incident.

Well hind sight tells us much, eh?

Now, the text from my saved file.

Edit; The reasons for which this is an issue are;

1) This posting was pulled from the forum quickly, yet I for one see no outright posting violations, does anyone?

2) This posting also quickly “evaporated” from Google very soon after as well. Somehow I luckily stumbled upon this.

3) We see now, that information was dispensed which was known to be false at the time. I firmly feel that ebay would have swept the entire incident under the rug, had they their way. Does this seem like a deliberate attempt to conceal, cover-up, make unavailable information which shows them in a very bad light. (IMO)

4) By deliberately depriving IT’s users, and the general www public at large of THE TRUTH and further It’s clear and continued pattern of untruthfullness, censorship, and concealment, and of course, blatant DENIAL, ebay has put a great many at risk of ID Theft, theft by fraud, etc, the list goes on… and very possibly YEARS of painstaking effort to correct it, and any number of further related problems.

5) Do not let us overlook the fact that ebay has profited every inch of the way through this entire unprecedented wave of hacking, hijacking, account take -overs, phishing , pharming….

Is there a pattern emerging?

Do you trust an outfit like that?

screencapture of the entire thread

(please note I have x’d out names here below)

This is G o o g l e’s cache of http://forums.ebay.com/db2/thread.jspa?threadID=2000317843&tstart=0&mod=1171585654167 as retrieved on Feb 16, 2007 08:37:41 GMT.
G o o g l e’s cache is the snapshot that we took of the page as we crawled the web.
The page may have changed since that time. Click here for the current page without highlighting.
This cached page may reference images which are no longer available. Click here for the cached text only.
To link to or bookmark this page, use the following url: http://www.google.com/search?q=cache:uDEJHwaRz_sJ:forums.ebay.com/db2/thread.jspa%3F

threadID

%3D2000317843%26tstart%3D0%26mod%3D1171585654167+EbaY+Hacked+%22The+List%22&hl=en&ct=

clnk&cd=1&gl=us

Google is neither affiliated with the authors of this page nor responsible for its content.
These search terms have been highlighted: ebay hacked the list
From collectibles to cars, buy and sell all kinds of items on eBay
home | pay | site map
Shop for itemsSell your itemTrack your eBay activitiesLearn, connect, and stay informed-for business and for funGet help, find answers and contact Customer Support Advanced Search

Home > Community > Discussion Boards > PayPal > Discussion
PayPal
Sign in to the community boards.
hosted by LiveWorld
Discussion Post a reply | Print
The List — ebay has been hacked in a major way
xxxxxxxxxxxx (0 ) View Listings | Report Feb-14-07 16:14 PST
There should be some big announcements. When is ebay going to come clean about The List, (the 1200 page long list) and all the account hijackings going on?

That is a HUGE reason to boycott!

There is quite a discussion taking place about it right now on the T&S bd.

The auction site never would strike a match or put out a fire, so little problems grew into big ones..ya-ya-ya-ya-ya…♪♫♪♫ ♪♫♪♫

Have a nice day!:^O

22 replies Date posted Reply #
xxxxesandbeads (633 ) View Listings | Report Feb-15-07 03:19 PST 1 of 22
What list?
Geez ive already been hacked once recently! What list are you talking about?

xxxxrnfan1945 (2 ) View Listings | Report Feb-15-07 10:55 PST 2 of 22
See T&S. There is apparently a large list of hacked ebay accounts with passwords listed.

Some posters say they tested the account access and were able to log in.

xxxxxxx_xxxe_xxdes_me (Private ) View Listings | Report Feb-15-07 13:27 PST 3 of 22
It wasn’t 1200 pages and it was NOT hacked accounts.

xxxed~

xxxxly-if-ever (0 ) View Listings | Report Feb-15-07 13:35 PST 4 of 22
I love these rumors. Aren’t they fun????

Let’s start one. I read this in the Nat’l Enquirer:
World War II Bomber Found on Moon!!!!!

chicken_little_groupie (0 ) View Listings | Report Feb-15-07 14:06 PST 5 of 22
Run children run!!!

BATBOY SIGHTED AT EBAY HEADQUARTERS
IN SAN JOSE. IT IS FEARED HE HAS
GAINED ACCESS TO THE EBAY DATABASE.

xxxxsueysisters (1844 ) View Listings | Report Feb-15-07 15:18 PST 6 of 22
When you have that 1200 page list handy then I think we can really understand what is the impact.

Boycotts don’t work

CSS
Shields up, beware of the cloaking devices!
Bidder 2 has been following me, I would like that to stop
I watched the Sopranos, I know what a shakedown looks like!

xxxxxtoo (25 ) View Listings | Report Feb-15-07 15:23 PST 7 of 22
The list was removed. The users were not notified by eBay of the compromised account information of which eBay was made aware.

xxxxxxlady2000 (86 ) View Listings | Report Feb-15-07 15:29 PST 8 of 22
So, were they hacked or not? You say yes, xxxnge says no?

xxxxxtoo (25 ) View Listings | Report Feb-15-07 15:30 PST 9 of 22
It would be very prudent to change your passwords.

xxxxxxladxx000 (86 ) View Listings | Report Feb-15-07 15:37 PST 10 of 22
That is your answer?

chicken_little_groupie (0 ) View Listings | Report Feb-15-07 15:39 PST 11 of 22
So, were they hacked or not?

This is an internet message board. Here’s how it works.
If someone says eBay was hacked, it isn’t up to them to prove eBay was hacked, it’s up to you to prove eBay wasn’t hacked.

It’s a beautiful system if you’re the type that likes to tell others about the sky falling.

xxxxxueysisters (1844 ) View Listings | Report Feb-15-07 15:40 PST 12 of 22
I don’t think there’s a list.
I posted on the other thread, ebay is required by law to notify those individuals. Just like ChoicePoint & Ameritrade, even the local H&R block when they had a computer stolen… you don’t have to be hacked to be notified.

CSS
Shields up, beware of the cloaking devices!
Bidder 2 has been following me, I would like that to stop
I watched the Sopranos, I know what a shakedown looks like!

xxxxxxlaxx2000 (86 ) View Listings | Report Feb-15-07 15:41 PST 13 of 22
Sigh….not me. I have bigger fish to fry…but that is no where near as sensational.:O

xxxxytoo (25 ) View Listings | Report Feb-15-07 15:42 PST 14 of 22
It is always prudent to change your passwords from time to time. It would be really prudent to do so now. It is against the rules as well to speak openly about threads that were pulled. Cryptically speaking, it would be wise to change your passwords.

xxxxehog (79 ) View Listings | Report Feb-15-07 15:52 PST 15 of 22
clinnic, Do NOT contact me again. I will REPORT your unwelcome e-mail to eBay!!! :(

xxxxg

xxxxxxladxx000 (86 ) View Listings | Report Feb-15-07 15:58 PST 16 of 22
LOL, nice try randy, I have NEVER contacted you thru eBay or otherwise!

xxxxxxladxx000 (86 ) View Listings | Report Feb-15-07 15:59 PST 17 of 22
Go ahead and report it! Cause it was not me.

xxxx2000 (16 ) View Listings | Report Feb-15-07 16:04 PST 18 of 22
Score,

I would doublecheck any messages you get from anyone, since the “challenged” are playing with look-a-like Id’s again.

xxxxxxlady2000 (86 ) View Listings | Report Feb-15-07 16:05 PST 19 of 22
Exactly! and I really would like an apology.

unxxxxxx*xxxxman*lawyer (Private ) View Listings | Report Feb-15-07 16:13 PST 20 of 22
Ok clinic … you’re sorry.

xxxxan (0 ) View Listings | Report Feb-15-07 16:27 PST 21 of 22
Sigh….not me. I have bigger fish to fry…

Yes, reporting any and all violations you find on your nightly rounds on the Paypal board.

——————————————————-
Google Checkout – The Faster, Safer Way To Shop Online

xxxxxhog (79 ) View Listings | Report Feb-15-07 22:44 PST 22 of 22
As much as I may hate doing this; I will give clnnc an apology. I am sorry :_|

Dxxd was correct. I would wonder why me X-(

This person must have contacted me prior to have my email address. ?:|

Maybe to make me mad at clnnc? No need for that… weird, I no clicky link though… LOL

xxxxg

Page 1 of 1

Next,

“Is ebay like the Titanic”

Oh, but one question….to the “chicken_little_groupie” person…what say ye now?

I get the feeling that peoople reading this might also like to read “ Smart Americans ~ Consumer’s Personal Data Posted on ebaY T and S Board by Romanian Scammer”

This is where the very first reports of the “brinkleywillie” episodes were posted. I am the one who submitted the tip & screencaps to consumerist.com for the post:

Hacker taunts Americans for Letting Him Steal Their Identities

Here is a better screencapture of that carnage, the full thread from ebay’s Trust & Safety forum

That was when sleazebay apparently sent one or more of their paid netkook stalker-trolls to our CAPP forum to disrupt our forum,  and attempt to keep that story under wraps, by posting a bunch of filth, while posing as a different person, complete with that person’s photo as avatar (a practice known as ‘false personation’) and then actually tried to have our forum shut down for the very things they posted. (They posted LOTS of filthy things there, that thread is but a tiny sample, then had some little pep rallies to recruit people complain to the CAPP forum site owners. That very same netkook stalker(s) went on to harass (and indeed is still harrassing) CAPP members/ former CAPP members by publishing a LOT of very nasty and wholly false things about them all over the internet. There is no other plausible explanation. Anyone with a lot of time might want to look into that further, there is a really sleazy, yellow, filthy underbelly of the ebay community most folks are not aware of. Not my focus here nor there, just an entertaining little side note.

People reading here might also like to view these shocking videos:
ebaY HACKED! Germany to Paris2336 to Alabama Davy Crockett
ebaY & PayPal Data Leaks  The “LIST” Returns to Strike Again!
“Paypal Data Leaks ebaY Compromised Accounts Consumer Alert!”
Another PayPal Data leak Reported: Taken by Employee

Find them all at the Cappnonymous video page.

The Number 1 ebaY_paypal critic channel on youtube

For people wanting to know if ebay and paypal are still being hacked. The answer is YES!!!   LOL

Check here:

pugster888 ebaY MegaSeller Gets Hijacked 56K+ Fake Listings November 2010

Romanian detained over a $3 million cyber fraud against eBay Inc. September 2010

Here  ^ you’ll see that ebay employees got phished and the data base was hacked lmao!

Youtube video: ebay employees fall victim to phishing attacks & database hacked

Update December 2012. Yes, the hack attacks/seller account take overs are still ongoing!

ebaY Shooting Star munchkinscakes08 Hijacked

April 2013 :

ebaY Sellers get Crucified on Easter Weekend

You can find more events documented at the  CAPP News Forum