eBay Account Hijacked Article - Alcatraz Security
Web Resources    |    Sitemap    |    Terms of Use    |    Privacy Policy

eBay Account Hijacked

Date: 2024-10-25

During coffee with my friend Tim this morning he told me the story of his eBay account getting hijacked. He was selling a phone on eBay, received an email asking if the phone he was selling was similar to the phone at another website and provided a hyperlink. Tim followed the link with the intention of trying to answer the question of the potential eBay buyer. Instead, upon clicking on the website link, he became a victim of Cross Site Scripting vulnerability, also known as CSS or XSS. In this article I examine this vulnerability and explain what happens during this type of hack, and what can be done to prevent a hijack. If you sell anything on eBay… you should read this article.

Scenario: An eBay seller with an account and an item listed. Using Tim’s example, he was selling a cell phone and had his eBay listing up and running with only a couple hours left. He logs into “My eBay” using his credentials and selecting “Keep me signed in”. By checking “Keep me signed in” eBay stored a permanent session cookie to Tim’s local computer.



Cookies: There are two different types of cookies. One being a "temporary session cookie" that is stored in memory and is erased once you leave the website. The other type is “permanent session cookie”. A permanent session cookie is a small file stored on the hard drive, until it expires, that identifies the user and credentials for the website. Cookies are typically stored, on Windows computers, in C:\Documents and Settings\%username%. The cookie has a file name of something like [email protected]. The content of a cookie file will look something like this:

ACOOKIE C8cttOTcyMjEzMTg0LjI5Nzg0MTIxAAAAAAAAAAACAAAAAwAAABC30ERcttBEBw
AAAHe20ER3ttBEAQAAAAEAAAAQt9BEXLbQE5Mi42MS4xMTUuNTUtOTcyMjEzMTg0LjI5N
zg0MTIxAwAAACAxOTIuNjEuMTTk3MjIxMzE4C4yOTc4NDEyMQ--cookie.ebay.com/102440622
428163053425498367000029800000*


The contents can be broken down into the following values:
Cookie Record: 0
Key: ACOOKIE
Value:C8cttOTcyMjEzMTg0LjI5Nzg0MTIxAAAAAAAAAAACAAAAAwAAABC30ERcttBEBw
AAAHe20ER3ttBEAQAAAAEAAAAQt9BEXLbQE5Mi42MS4xMTUuNTUtOTcyMjEzMTg0LjI5N
zg0MTIxAwAAACAxOTIuNjEuMTTk3MjIxMzE4C4yOTc4NDEyMQ--
Host: cookie.ebay.com/
Secure: False
Modified Date: Wed, 02 Aug 2024 14:30:40 GMT
Expiry Date: Sat, 30 Jul 2024 14:30:40 GMT


Hack: The hacker inserts JavaScript (or other scripting language) code into the URL string, to capture the permanent session cookie, and delivers the user to a webpage that is made to appear like a valid website so it doesn’t arise suspicion, called the "payload site". The JavaScript contains code similar to “=’+document.cookie”. The scripting code is then inserted into the manipulated URL and provided to a recipient via an email, instant message, or forum link. Most of time the hacker will encode the script into a hexadecimal code so it is hard to recognize.

Tim received the link in an email from someone, he believed, was a potential buyer. I reviewed the link, and would haved liked to added to the article to show the reality of the situation, but decided not to because this would add risk to those who were tempted to follow the link, and had permanent session cookies stored on their computer. The URL was not an eBay site, I will say that.

Is eBay to blame?
Absolutely. This is a vulnerability that exists on eBay and we can only hope they are fixing this, as this vulnerability is well known. The US-CERT (United States Computer Emergency Readiness Team) has documented this vulnerability as Vulnerability Note 808921 and can be found here: https://www.kb.cert.org/vuls/id/808921.

What can I do to protect myself?
You have several choices; the first is disabling scripting within your Internet browser. This will prevent the successful execution of JavaScript to steal your session cookies. Second is to do what eBay recommends, if you’re hosting a sale item do not follow any links that do not start with ebay.com. Some of the new Internet browser toolbars will also help block harmful scripts, but we have not been able to verify the validity at this time.



What if this does happen to me?
Do what Tim did, don’t hesitate to get eBay customer support, report the incident, provide the evidence of the incident, and change your eBay password.

This attacker was able to get into Tim’s eBay account, cancel his auction, modify the Pay Pal address and then send “Second Chance Offers” to all of his bidders.

On a relative scale of the hacks and attacks that exist, this attack isn’t too bad. His identify, financial information, and personal files were not at risk. The best way to deal with this vulnerability is through education and awareness until it can be fixed.

Have you been a victim of Cross Site Scripting? Comments?

Comments

Reply 2024-11-26 03:59:06 by Roman
Electrotool Makita, Bosch, DeWALT, Hitachi, Metabo, Kress, Sparky, Stihl, Husqvarna, Partner, Poulan, Rebir, Calibre, Интерскол, Фиолент. The big assortment, the best prices on www.instrumentbest.ru

Post Comment

Web Resources   |   Sitemap   |   Terms of Use   |   Privacy Policy

© 2006 Alcatraz Security. All rights reserved.

Designed by Fast Internet Success