lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <443D02A6.3080900@yahoo.com>
Date: Wed Apr 12 14:37:53 2006
From: toppsoft at yahoo.com (toppsoft)
Subject: ebay javascript injection

Most of the phishing emails I get for eBay are pretty obvious. Besides 
the typos and poor english, they usually link directly to arcane 
websites. Today I got one that took me to a listing on eBay which 
contained a login intercept. The script presents a reasonable looking 
signin form, obfuscates your login and the destination url using rot-24 
and sends it on to http://proxy.cheersfilms.com.tw/426006317/66728472 
before submitting it to ebay.

I only find it noteworthy because I couldn't find any public information 
about xss flaws or other bugs allowing js injection into ebay auction 
listings and a slightly more sophisticated attack would be pretty hard 
to detect.

If you want to see the script, it's still up at 
http://cgi.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=ViewItem&Item=5875281930

I neutered the URL so you'll need to view source to see the javascript.

To see the fake signin page, you can link to http://tinyurl.com/r8ecv

which takes you to

http://cgi.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=ViewItem
&=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp=
&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav=
&migrateVisitor=&Item=5875281930&aiu=rtqz{0ejggtuhknou0eqo0vy164822853718894:694
&jsc=sig&jsv=1&jsem=vqrruqhvB{cjqq0eqo

(remove white space to link)

aiu is the URL which captures your login (rot-24)

Sucks to be coloradopackrat today.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ