Watchdog Group Gives Live Demo of eBay Security Vulnerability

Thursday, March 13th, 2008 at 1:23 PM

Saying it was tired of waiting for eBay to fix a security problem on its platform that has existed for years, German Internet watchdog group Falle-internet.de Translated Page gave a demonstration of how scammers are using flash files embedded into eBay auction pages to gather members eBay account info.

Ina and David Steiner, publishers of auctionbytes.com conducted the same test and got the same results, you can view there report here.

I have screen captured the Falle-internet page in case it gets taken down, you can view it here in our screen capture archive. Please see the file dirinfo.htm for instructions on viewing long image files.

I have been reporting this serious breach of eBay security for at least 2 years, And anyone that keeps up with eBay’s Sloppy Security knows it as well. eBay is quick to point the finger at Romania, China, and other foreign governments, but the fact is that eBay is too cheap to secure there own servers! This US-CERT Advisory was issued in April 2006! So eBay does know about this security breach!

eBay would rather intimidate and black list websites that expose their security vulnerabilities, rather than fix the problem! Fall-Internet was intimidated last year when it showed screen shots of Vladuz’s hacking utilities that Vladuz posted on one of eBay’s discussion forums. eBay promptly tried using the FBI in an intimidation letter to their web host!

Since when has the FBI had jurisdiction in Germany??

It is really interesting how Vladuz got even with Scott Noyce who sent the above email to Falle-Internet’s web host, By Hacking NOYCE’S eBay Account – and posting his Personal Account Info on his ME Page! I guess what comes around – goes around!

Looks like Vladuz crawling in through one of those eBay Security Holes!

You can see all of Doc’s Vladuz Screen Captures Over Here!

Nothing like looking at eBay through Rose Colored Glasses, Huh..

This vulnerability has been reported on by The Register in 2005, then again in 2006. I also did a good write up with lots of screen captures here and here.

I sincerely doubt they will fix this vulnerability unless it gets to major media. It’s a shame, because it’s down right scary just surfing eBay!

Speaking of Vladuz, He has been pretty quiet – It’s about time for him to pay eBay a visit..