eBuster investigates Javascript injection on eBay pages

Complaints
General Police Trading Standards
Scams
Ebay does nothing Script injection Fake login page Shill bidding Shill bidding case history Fake china gold Selling Feedback eBays dirty tricks Cars not what they seem Birmingham car scam
Motors

Script Injection

Well I had to put this page up instead of simply showing you one of the hundreds of page that have been hijacked by script injection on eBay and the reason I can not show you the real thing is because eBay dirty tricks department is trying to put a gag on eBuster whilst hiding behind DCMA copyright notice issued to my host providers and now in the latest development, apparently eBay is on to the FBI about eBuster and if eBay finds any of the above slanderous then they are welcome to try and sue me.

So how should I cover the subject of script injection without being accused of copyright infringement (yeah some joke coming from eBay) or jumping up the FBI�s most wanted list by saying too much.

Script injection in it�s simplest form is typing special code into a input box that excepts .html input and the code looks somthing like this.

<wscript=�run-now�>
ShowMessage[�Hello world�]
</wscritp>

Yes not much damage done but amongst other serious security risks script injection can totally overwrite the web page you have just downloaded from eBay so that nice advert for a car suddenly becomes a page that is putting cookies on your computer, tracking your moves and as soon as you click a button you are taken off to a fake ebay site or a fake login page so lets look at some of the code injected into eBay pages with a slight Modification.

<wscript=�run-now�>
Browser.Write('\u003C\u0073\u0074\u0079\u006C\..........
</wscritp>

This is a bit more sophisticated and uses hexadecimal code which would take me all day to decode just to remove the eBay trade logo from the top of the page so lets see how simple it is to protect against script injection !

Protection comes free in ASP.NET unless it is turned off by using ValidateRequest ="false" in the page header and any programming language can make a simple test in two lines of code.

If(.html.toupper().indexOf(�<WSCRIPT�)>-1)
throw new exception(�Page is infected�);

It�s really is quite simple and most first year technology students know about the risk so is it me being pedantic by asking how come eBay didn�t seem to know or even care but they did however finally manage to fix the problem in the section of eBay I was monitoring at the time but this does not mean the whole site is now safe or that these rouge pages have not been saved to disk by eBay members.

It�s a good job eBuster is not that slow else it would take me years to move this web-site each time eBay slaps a gag order on me but I don�t think I am breaking any rules by showing two screen shots of the page using different browsers after I tweak the legendary eBay logo. The real item number on this one was 110327410336 and not 714347917014
Fake eBay listing It�s a good try but it goes wrong on the left hand side in Internet Explorer if you resize the browser but it�s perfect in FireFox.

Since we are on the subject of code maybe eBay would like to make a few comments about Web Site Accessibility or is this another UK law eBay has been allowed to overlook and whilst I admit this site is far from perfect as I needed to move it fast at least it does not have pages with two sets of <.html></.html> in the same page which I will post a link to when I remember where I have seen it.

The bottom line is eBay have known about this for a considerable amount of time and I am clueless about the motivation behind this and find it unsurprising that eBay is being hacked on a regular basis and this may explain some of the corrupt member names that are popping up on a regular basis but alas eBay has failed as yet to provide an explanation.

Comment (1) Posted on 8/7/2009 by T-Bone

Just another load of parasites wasting taxes with brown noses up each other bum

Comment (2) Posted on 9/22/2009 by Citizen

You claim that http://ebay.about.com/od/sellingeffectivel1/a/se_cancel.htm contains a link to a FRAMED login page.

This is the sentence you refer to that has a link in it...

1.Visit the eBay end listing early form and enter the item number of the listing you'd like to end.

The link goes to the following page, which you claim is fake... http://tinyurl.com/n63vhf

However, it's just HTML Frames - the parent page and advertisment at the top of the page are hosted by About.com, but the main section of the page is a REA login page at ebay.

You can confirm this by reviewing the
HTML source of the parent page, and/or by RightClick > Properties on the lower section of the page.

Comment (3) Posted on 9/24/2009 by EBuster
Reply from eBuster

Yes as you say it is in a frameset but check out cross browser scripting and if you read the terms of eBay policy you will see that this is against the rules.

Also note eBay has changed the warning message on login pages and i did contact eBay about this page and got no reply as usual.

Comment (4) Posted on 9/28/2009 by Chris.

These scam ads are constantly appearing on ebay.co.uk which I assume are done by script injection? I have lost count of the number I have reported to ebay, but as soon as they remove one, another takes it's place. It's getting ridiculous!!
No good me giving item number as it means nothing. Search for this motorhome:

2005 SWIFT FREESTYLE MOTORHOME FIAT DUCATO CARAVAN TDI