Stupid ebay/amazon question

Christopher Schmidt crschmidt at crschmidt.net
Thu Jun 29 12:15:01 EDT 2006 

On Thu, Jun 29, 2006 at 11:51:06AM -0400, Fred wrote:
> ...
> > > A lot of auction pages include images. If a page can use images hosted
> > > on a seller's server, and the img tag can be coded to include
> > > information such as your ebay login name,
> >
> > This would be the bad part, in my opinion -- when I'm logged into ebay,
> > it should not be possible for other people to insert code which would
> > have access to my ebay login name/user name/email address. If that is
> > the case, eBay is either deliberately or through incompetence allowing
> > advertisers to get access to your personal information in a way that is
> > completely inappropriate.
> >
> > I don't know how likely that is, but there is no technical reason why
> > this should ever be a requirement, which means that if this is
> > happening, it would be either malicious or ignorant.
> >
> > I did take a quick look through the ebay HTML, and didn't see anything
> > that would indicate that this is the case. No references to the username
> > in ways that an external advertiser would be able to easily exploit.
> >
> > But that doesn't mean there aren't any. Just that I couldn't find 'em.
> > ;)
> 
> I have heard of exploits involving image files that have been tainted to 
> exploit vulnerabilities in the image decoding software. It is possible, say, 
> if you were using browser X with vulnerability Y with JPEG images that 
> someone could exploit, say, a buffer overrun to execute native code to 
> eventually do whatever they want.
> 
> Even though I'm sure the vulnerability I've heard about long ago has long 
> since been taken care of, there is never the time to rest and be naive. Some 
> new codec, Flash module, or anything may have some exploitable vulnerability 
> in it. And usually you only discover this after the fact, after your system 
> has been infected.

And all of this is completely unrelated to the discussion at hand, which
is a question of whether there is code inside of eBay's HTML,
Javascript, etc. which external users placing content on eBay's servers
can exploit to get access to your personal information as known by eBay.

The fact that persons can steal your data via browser exploits is unrelated 
to eBay, and the discussion at hand.


> <rant>
> Most are not willing to go though such lengths, so I usually suggest the 
> usual and obvious -- to us at least -- don't use IE or Outlook *at all*, and 
> start from a known clean system. That alone will take care of 99.99% of the 
> headaches. Alas, if you have kids in your home all bets are off there. My 
> 8-year-old constantly begs me if she can use IE because some site she wants 
> to visit won't allow any other browser. And *her* computer is so infected 
> with malware it won't even boot anymore.

Don't spread too much anti-IE FUD -- they're not the only people to be
affected by this kind of crap. 90,000 LiveJournal users had their
cookies stolen by an external agent at one point due to a choice Firefox
has made to allow CSS to execute script in the current page context.
(LiveJournal quickly moved to a different system for URLs, which
contained the problem, and created and released a CSS Tokenizer which
removes unsafe content.) 

Firefox has suffered similar image processing issues to IE with JPG
processing around-a-bouts the time 1.0 came out. 

Internet Exploder, er, Explorer, may be more famous for these types of
exploits, but that's in large part because it has the lion's portion of
the market share. As FireFox has grown, it has proven repeatedly that it
can be similarly exploited, and has been. 

The primary difference in the browsers is the amount of time to release
a fix. Microsoft took something like 2 weeks to release a fix to
0-day-exploit in their image parsing library which has been around since
Windows 95, and possibly Windows 3.11. (This was around January -- the
WMF exploit.) In the end, someone came up with a modified version of the
library which fixed the issue almost a week before Microsoft got around
to releasing anything -- and Microsoft's schedule was only accelerated
after days of exploits being reported by users and others around the
world. The user in question had to use reverse engineering tools
(probably violating his license agreement) in order to build the fix,
but in the process, helped protect hundreds of thousands of users from
possible exploits (of which there were many).

Firefox, on the other hand, released a security release of their browser
mere hours after the vulnerability in question was made public
knowledge. Of course, many users are still running vulnerable versions
because users never upgrade, but that's no less true of Windows and
other proprietary software that is patched.

All it really boils down to is that your computer is only really safe
it's locked in a safe, disconnected from the internet... and preferably,
turned off.

-- 
Christopher Schmidt
Web Developer

More information about the gnhlug-discuss mailing list