Bugtraq mailing list archives
Re: ebay sends passwords in the clear
From: abennett () CRUZIO COM (Andrew Bennett)
Date: Sun, 20 Feb 2000 02:00:04 -0800
At 11:03 AM 2/16/00 -0800, rfromm@cs.berkeley.eduwrote:
I've been trying to get ebay to do something about this for a month and a half, to no avail. See http://avocado.dhs.org/ebpd/ for details, including an ebay password sniffer.
I noticed that ebay has a link on their Sign In feature page to sign in via SSL. It's not the most obvious link. An easy way to get there: - when prompted for your id/password, below the box, click the Sign In link - when prompted again for your id/password, below the box, click the 'here' link Of course, take note of the cookie that they will place on your computer. You'll have to close your browser, or it will expire in 40 minutes of inactivity, whichever comes first, according to the web page. Couple this with the 'my ebay' preferences as to what activities you want your password remembered, one might only have to enter their password once, during the SSL session where the cookie gets set. Andrew -- Andrew Bennett abennett () cruzio com
Current thread:
- Re: 'cross site scripting' CERT advisory and MS David LeBlanc (Feb 16)
- Re: 'cross site scripting' CERT advisory and MS flynngn () JMU EDU (Feb 17)
- ebay sends passwords in the clear Richard Fromm (Feb 16)
- Re: ebay sends passwords in the clear Andrew Bennett (Feb 20)
- Re: 'cross site scripting' CERT advisory and MS Alexander Schreiber (Feb 18)
- Microsoft signed software can be install software without prompting users Elias Levy (Feb 21)
- ebay sends passwords in the clear Richard Fromm (Feb 16)
- Re: 'cross site scripting' CERT advisory and MS flynngn () JMU EDU (Feb 17)