IP: eBayla virus

[Dave Farber <farber () cis upenn edu>]

> Date: Thu, 22 Apr 1999 17:34:41 -0700
> From: "Jeff E. Kinzli" <kinzli () cisco com>
>
>
> > From http://www.tbtf.com/index.html
>
>                 ..eBayla
>
> Canadian security enthusiast Tom Cervenka, who goes by the handle Blue
> Adept, has invented a new flavor of virus: he has created an infected
> eBay auction item [1] that he calls eBayla. The exploit works because
> eBay allows JavaScript in the member-authored pages describing an item
> offered for sale. When an eBay member bids on an infected item, his/her
> username and password are emailed to Cervenka. EBay's response [2] to
> the exploit sets a new low for bone-headedness. Not only does eBay
> downplay the seriousness of the security hole; not only do they get the
> technical details of the exploit's workings wrong; but they also make
> vague threats in Cervenka's direction, because he brought this
> vulnerability to their attention. EBay deserves to get slapped, hard, by
> its mem- bers -- nothing else will make them rethink their cluelessness.
> Thanks to Michael Sanders <msanders at confusion dot net> for the prod
> on this story.
>
>                     [1]
> http://www.because-we-can.com/ebayla/default.htm
>                     [2]
> http://www.news.com/News/Item/Textonly/0,25,35321,00.html