Stupid ebay/amazon question
Fred
puissante at lrc.puissante.com
Thu Jun 29 11:53:01 EDT 2006
...
> > A lot of auction pages include images. If a page can use images hosted
> > on a seller's server, and the img tag can be coded to include
> > information such as your ebay login name,
>
> This would be the bad part, in my opinion -- when I'm logged into ebay,
> it should not be possible for other people to insert code which would
> have access to my ebay login name/user name/email address. If that is
> the case, eBay is either deliberately or through incompetence allowing
> advertisers to get access to your personal information in a way that is
> completely inappropriate.
>
> I don't know how likely that is, but there is no technical reason why
> this should ever be a requirement, which means that if this is
> happening, it would be either malicious or ignorant.
>
> I did take a quick look through the ebay HTML, and didn't see anything
> that would indicate that this is the case. No references to the username
> in ways that an external advertiser would be able to easily exploit.
>
> But that doesn't mean there aren't any. Just that I couldn't find 'em.
> ;)
I have heard of exploits involving image files that have been tainted to
exploit vulnerabilities in the image decoding software. It is possible, say,
if you were using browser X with vulnerability Y with JPEG images that
someone could exploit, say, a buffer overrun to execute native code to
eventually do whatever they want.
Even though I'm sure the vulnerability I've heard about long ago has long
since been taken care of, there is never the time to rest and be naive. Some
new codec, Flash module, or anything may have some exploitable vulnerability
in it. And usually you only discover this after the fact, after your system
has been infected.
I would strongly suggest that you not keep your sensitive information on a
computer connected to the Internet, especially if you are running Windows.
A dual-boot situation would proffer you *some* protection, but not complete.
A power-on boot to removable media for your sensitive information would
represent your best bet for security against malware.
<rant>
Most are not willing to go though such lengths, so I usually suggest the
usual and obvious -- to us at least -- don't use IE or Outlook *at all*, and
start from a known clean system. That alone will take care of 99.99% of the
headaches. Alas, if you have kids in your home all bets are off there. My
8-year-old constantly begs me if she can use IE because some site she wants
to visit won't allow any other browser. And *her* computer is so infected
with malware it won't even boot anymore.
I used to bother with explaining that Active X is the greatest evil since
Stalin, but most wouldn't know an Active X applet if it bit them in the ass,
let alone how to disable it in IE. So, I tell them not to bother. Just don't
use IE.
</rant>
-Freedom Fred
More information about the gnhlug-discuss
mailing list