| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed Apr 12 14:37:53 2006
From: toppsoft at yahoo.com (toppsoft)
Subject: ebay javascript injection
Most of the phishing emails I get for eBay are pretty obvious. Besides
the typos and poor english, they usually link directly to arcane
websites. Today I got one that took me to a listing on eBay which
contained a login intercept. The script presents a reasonable looking
signin form, obfuscates your login and the destination url using rot-24
and sends it on to http://proxy.cheersfilms.com.tw/426006317/66728472
before submitting it to ebay.
I only find it noteworthy because I couldn't find any public information
about xss flaws or other bugs allowing js injection into ebay auction
listings and a slightly more sophisticated attack would be pretty hard
to detect.
If you want to see the script, it's still up at
http://cgi.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=ViewItem&Item=5875281930
I neutered the URL so you'll need to view source to see the javascript.
To see the fake signin page, you can link to http://tinyurl.com/r8ecv
which takes you to
http://cgi.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=ViewItem
&=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp=
&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav=
&migrateVisitor=&Item=5875281930&aiu=rtqz{0ejggtuhknou0eqo0vy164822853718894:694
&jsc=sig&jsv=1&jsem=vqrruqhvB{cjqq0eqo
(remove white space to link)
aiu is the URL which captures your login (rot-24)
Sucks to be coloradopackrat today.
Powered by blists - more mailing lists