Power Sellers Unite

elgato · Joined: 24 Feb 2005 Posts: 16923 Location: Texas

The eBayMotorsSucks blog, written by former eBay Motors seller Ed Koon, published a video on February 18 that shows an eBay Motors listing redirecting to an off-eBay site. He wrote, "Watch as this 2007 Chevy Tahoe listing sweeps me off of eBay to a hacked website." He refers to a well known redirect scam that AuctionBytes has covered and was documented by US-CERT.

It's a compelling video, and Mr. Koon told us he has talked to at least one recent victim of such the scam. We asked eBay abut Mr. Koon's video, and spokesperson Johnna Hoff provided the following statement:
more.. link to news article

DaLizardsLair · Joined: 15 Feb 2009 Posts: 4782

I'm sorry, but just about every listing I've seen on eBay Motors has been a scam.

Peniwize The Clown · Joined: 14 Jun 2009 Posts: 75

How in the world do they create a "redirect" within the listing? eBay has impossible restrictions with code, I find it funny they can do this.

Nikkicute · Joined: 27 Jul 2005 Posts: 878

Whoa!!! :shock:
I thought when redirecting it went to totally different looking page but it went to a page that looks EXACTLY like ebay!! wow!!! Isn't that something?

Stockmiser · Joined: 03 Jun 2006 Posts: 1146

Peniwize The Clown wrote (View Post): › docWrite("quote")How in the world do they create a "redirect" within the listing? eBay has impossible restrictions with code, I find it funny they can do this.

Probably by using a "cross site" script. They keep the script completely off of the ebay listing by calling it through what looks like a benign local script. This can be done through java, php, cgi, asp, or just about anything that programs html. It's hard to catch them all, which is why I use Firefox and the "no script" add-on.

Browsers are actually supposed to catch this - but they don't always. It's much more of an IE security flaw than an Ebay one. Ebay could do what many of the alt sites have done by just limiting listings to basic HTML - no scripting at all. But that would mean no more fancy listing templates - and no more embedded elements like Flash or videos.

Really, anything calling objects from another site has the potential to cause problems. As I understand it, there is even a way to get some code over via remote graphics calls.

Here is a nice not-too-techie explanation of how to do a redirect via a Flash embedded object on ebay (it doesn't show everything, of course):
http://www.kelvinwong.ca/2007/08/18/scam-autopsy-ebay-auction-phishing/

What is being hacked really isn't ebay, it's your browser. These exploits could appear on any webpage, which is why I think everyone should be running some kind of protection software - just like virus protection.

doc · Joined: 28 Jan 2005 Posts: 33

From what i understand it was not the usual Flash or Meta redirect that we see so often. Cappnonymous did a video on it too and even with no-scrip enabled it still redirected off of eBay to a site in the UK that had been hacked.

eBay could run a scan of the users code during the listing process, and either strip out malicious code or reject it between pages of the siy form. The fact remains that they don't want to secure their site. It's not their fault if someone goes off the site and is scammed, but if they are redirected away from the site it's their fault for not securing the site.

That girl in Washington state (oi8abug) that lost 15,200 to an identical redirect scam was told by eBay live help it was a legitimate listing and covered by eBay vpp plan. The last i heard from her was she was looking for an attorney. That will never work because eBay will tie her up in court forever, it's their style! That and lawyers will not be interested in a case like that unless the client has deep pockets.

eBay has a responsibility to give their site visitors a safe secure platform to do business on. The old days of Meg Whitman's lie and deny are long gone.

Ed "DOC" Koon

Stockmiser · Joined: 03 Jun 2006 Posts: 1146

If "no-script" didn't stop it, then they did it without using a script - which means that ebay scanning for a script would not work, right?

Unless we know exactly how the exploit was done, you can't necessarily say it's an ebay security flaw.

Like I said, other sites eliminate the problem by just removing all scripting functions, as well as Flash and all other embedded objects.

In fact, I'd be all for that change. The site would look a lot more consistent and professional without all the unnecessary extra scripting and other various garbage injected by sellers. Just look at sites like Bonanzle or Atomicmall or Ecrater or Etsy. I am pretty sure that none of these sites allow scripting or embedding.

DaLizardsLair · Joined: 15 Feb 2009 Posts: 4782

Whether they allow it or not, it can still happen. I used to know several sellers who bragged about using embedded links in the pictures they used on eBay.

doc · Joined: 28 Jan 2005 Posts: 33

Stockmiser wrote (View Post): › docWrite("quote")
If "no-script" didn't stop it, then they did it without using a script - which means that ebay scanning for a script would not work, right?

Unless we know exactly how the exploit was done, you can't necessarily say it's an ebay security flaw.

I think that one was an inside job. Reasoning being is, the contents of an eBay motors sellers description are within an Iframe embedded in the listing itself. If a redirect code is embedded within this Iframe it would only redirect the contents of that Iframe and not the whole listing itself.

Meanwhile more people are getting scammed on vehicles in eBay's name. I see several messages weekly on the eBay Motors board where the scammed are asking for help. There is one on there this morning "Is there an ebay finance center that deals with selling cars? Can anybody please help me out? I think I have been scammed because they are not responding to my emails."

eBay does not seem to care that these scammers are ruining their name. If it were me and scammers were stealing my customers - it would be all out war against scammers!

Stockmiser · Joined: 03 Jun 2006 Posts: 1146

"Inside job?" I kinda doubt that. Someone just found a workaround - iframe is not some super-secure "container".

Far as I know, all of the "obvious" exploits are banned automatically.

As for graphics and links, I know you cannot embed a link within a graphic itself, but you can do some tricky things with how you call the graphic. For example, I can call a JPG file from my server, and rewrite how my server treats the request by sending a script instead.

Unless browser security is greatly enhanced over the next few years (doubtful), I can see ebay banning all outside access - including graphics. That's about the only way to make the site completely secure.

In addition to the sites I mentioned, I believe Amazon is also a severely restricted site with their user listings.

shado_x · Joined: 18 Feb 2008 Posts: 14

Amazon has that restricted site policy with their user listings. I should know... I sell on it.