Stupid ebay/amazon question

Thu Jun 29 11:53:01 EDT 2006

...
> > A lot of auction pages include images. If a page can use images hosted
> > on a seller's server, and the img tag can be coded to include
> > information such as your ebay login name,
>
> This would be the bad part, in my opinion -- when I'm logged into ebay,
> it should not be possible for other people to insert code which would
> have access to my ebay login name/user name/email address. If that is
> the case, eBay is either deliberately or through incompetence allowing
> advertisers to get access to your personal information in a way that is
> completely inappropriate.
>
> I don't know how likely that is, but there is no technical reason why
> this should ever be a requirement, which means that if this is
> happening, it would be either malicious or ignorant.
>
> I did take a quick look through the ebay HTML, and didn't see anything
> that would indicate that this is the case. No references to the username
> in ways that an external advertiser would be able to easily exploit.
>
> But that doesn't mean there aren't any. Just that I couldn't find 'em.
> ;)

I have heard of exploits involving image files that have been tainted to 
exploit vulnerabilities in the image decoding software. It is possible, say, 
if you were using browser X with vulnerability Y with JPEG images that 
someone could exploit, say, a buffer overrun to execute native code to 
eventually do whatever they want.

Even though I'm sure the vulnerability I've heard about long ago has long 
since been taken care of, there is never the time to rest and be naive. Some 
new codec, Flash module, or anything may have some exploitable vulnerability 
in it. And usually you only discover this after the fact, after your system 
has been infected.

I would strongly suggest that you not keep your sensitive information on a 
computer connected to the Internet, especially if you are running Windows.

A dual-boot situation would proffer you *some* protection, but not complete. 
A power-on boot to removable media for your sensitive information would 
represent your best bet for security against malware.

<rant>
Most are not willing to go though such lengths, so I usually suggest the 
usual and obvious -- to us at least -- don't use IE or Outlook *at all*, and 
start from a known clean system. That alone will take care of 99.99% of the 
headaches. Alas, if you have kids in your home all bets are off there. My 
8-year-old constantly begs me if she can use IE because some site she wants 
to visit won't allow any other browser. And *her* computer is so infected 
with malware it won't even boot anymore.

I used to bother with explaining that Active X is the greatest evil since 
Stalin, but most wouldn't know an Active X applet if it bit them in the ass, 
let alone how to disable it in IE. So, I tell them not to bother. Just don't 
use IE.
</rant>

-Freedom Fred