Full Disclosure mailing list archives
ebay javascript injection
From: toppsoft <toppsoft () yahoo com>
Date: Wed, 12 Apr 2006 08:31:25 -0400
Most of the phishing emails I get for eBay are pretty obvious. Besides the typos and poor english, they usually link directly to arcane websites. Today I got one that took me to a listing on eBay which contained a login intercept. The script presents a reasonable looking signin form, obfuscates your login and the destination url using rot-24 and sends it on to http://proxy.cheersfilms.com.tw/426006317/66728472 before submitting it to ebay.
I only find it noteworthy because I couldn't find any public information about xss flaws or other bugs allowing js injection into ebay auction listings and a slightly more sophisticated attack would be pretty hard to detect.
If you want to see the script, it's still up at http://cgi.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=ViewItem&Item=5875281930
I neutered the URL so you'll need to view source to see the javascript. To see the fake signin page, you can link to http://tinyurl.com/r8ecv which takes you to http://cgi.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=ViewItem &=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp= &pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav= &migrateVisitor=&Item=5875281930&aiu=rtqz{0ejggtuhknou0eqo0vy164822853718894:694 &jsc=sig&jsv=1&jsem=vqrruqhvB{cjqq0eqo (remove white space to link) aiu is the URL which captures your login (rot-24) Sucks to be coloradopackrat today. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- ebay javascript injection toppsoft (Apr 12)
- <Possible follow-ups>
- ebay javascript injection toppsoft (Apr 12)