back to article eBay scammers work unpatched weaknesses in Firefox, IE

eBay scammers have been exploiting unpatched weaknesses in the Firefox and Internet Explorer browsers to deliver counterfeit pages that try to dupe people surfing the online auction house to bid on fraudulent listings. The attacks managed to inject eBay pages with hostile code by exploiting issues long known to afflict Firefox …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Stop

    It seems to me

    that the browsers are not doing anything wrong. These are not browser vulnerabilities. It isn't the browser's job to make sure you secure your webshite (sic).

    Do you blame your brain for reading when somebody writes something badly in a book? Of course not - you blame the writer.

    It's the slipshod site design that needs looking at.

  2. JC
    Paris Hilton

    This is a real risk?

    Who bids on something that reads "Email the seller to buy this item"?

    If it walks like a duck and quacks like a duck...

  3. Anonymous Coward
    Stop

    NoScript

    I am a long time Firefox user and have always used the NoScript plugin. Like the site says: "Experts will agree: Firefox is really safer with NoScript!"

    I think it should be included with every Firefox download.

    Plus, you'd have to be a right stupid, gullable idiot to click the "Email the seller to buy this item" link.

    Its obviously a scam!

  4. Kanhef
    Stop

    External CSS

    Does anyone actually believe this is a good idea and should be used or allowed? Whoever controls the css file (e.g. a cracker who gained access to a legitimate site) has the ability to inject almost arbitrary code into any web page that uses it. It's almost as bad an idea as letting untrusted third parties provide banner ads.

  5. Tom

    So whats happening here?

    Its not a problem with browsers but FF people are trying to provide a solution and MS are applying the SEP field to it?

  6. Anonymous Coward
    Anonymous Coward

    It is the site's fault

    If they allow arbitrary code to be delivered, they are delivering arbitrary code to the user.

    Pay peanuts get monkeys, that is what has been happening on the web for a good few years.

  7. Charles Manning

    Email seller

    Quite a few people might be all confused by this ebay thing and would rather email the user and might even like the idea that they can email the seller for back up.

    This is only a stupid thing to do if you know that. Joe Unwashed won't know that. I wouldn't know that and I'm reasonably savvy (C programmer etc, but not an IT monkey).

    Perhaps the browser isn't broken (just doing what the code told it) and maybe the website isn't broken either (the website is also just doing what the content provider said it should: serve up some bytes). Clearly it is the malicious programmer that is broken. Just like any antisocials or criminals you won't protect against those unless you clamp down on various potential features.

  8. The Fuzzy Wotnot
    Thumb Down

    Tricky

    "Firefox security volunteers say they are in the process of patching the vulnerability. For their part, Microsoft officials say the exploits aren't the result of a vulnerability in IE but rather of websites that fail to properly protect against such attacks."

    It may not be a browser problem, but at least Mozilla are taking some responsibility and are trying try to help out unlike MS who with all their bluff about giving more secure environment for the user to enjoy the internet, obviously can't be arsed!

    Yes it was dark when I was driving, yes the lights were working and clean but they were not bright enough, so someone hit me. Now who's problem is that? Mine 'cos I went out in the dark or the car manufacturer for not making the lights bright enough for everyone to see correctly in certain conditions?

  9. Geoff Mackenzie

    A little unfair

    This article is a little unfair. These are not browser vulnerabilities, but holes in a specific web application (which doesn't exactly have a gleaming security record).

    Also, I whole-heartedly agree with the next post, below this one.

  10. dave

    Firefox patching?

    What are Firefox patching?

    Are Firefox going to block all XSS forever? That's a little extreme. Perhaps making it a security option turned off by default would be enough but I wonder how many sites use script from other domains?

    If it's common enough any security option will just be ignored after the umpteenth warning.

  11. Charles King
    Gates Halo

    Where have they all gone?

    So much for all the whining about the "insecure m$ HTML rendering engine" we saw in the piece covering IE8 a few days ago - IE8 is the only browser mentioned here which is *not* affected by the attack.

    Having said that, I've been running FF with NoScript for years, and it's notable that the Mozilla dev team seems to be the only one actually doing something to fix this rather than bleating and pointing fingers.

  12. N

    No Script

    Agreed, AC its a good extension for FF

    & if the price is too good to be true, then it probably is (a scam) Unfortunately theres way too many rogues out there & Ebay should clean up their act.

  13. Whitter

    XSS

    Yet more XSS weakness: when will web designers stop using XSS except where utterly necessary? I use Opera to browse / buy on eBay, but due to my (proper) security settings there, have to switch to IE when it comes to actually paying. A little IE for a known task is safer than a lot of IE I hope.

  14. Wortel
    Pirate

    Heh

    So where's the noob AC who commented last week about being sick of the updates issued to Firefox? come on, where are you now?

    As for the other AC, you are sadly mistaking about the browser not being at fault. CSS is not something that just 'runs' on it's own accord, it is a plain text file downloaded and interpreted by the web browser.

    Failing to validate the source is not done in today's world.

    It should offer protection to it's user, and the AC proposing NoScript should be shipped with Firefox by default has the right idea.

  15. Anonymous Coward
    Unhappy

    NoScript isn't a panacea

    It makes things very awkward. I'm trying to cancel a double order which I made last night as the result of not unblocking some third party's script. The payment system returned me to the retailer's website, which claimed to have no trace of my order (and I had received no emails) so I entered it again and when I successfully paid for it (by allowing this script), I got two confirmation emails for two identical orders with different order numbers.

    Until sites expect you to have JavaScript disabled, NoScript is a bit of a minefield I'm afraid. And no, "don't purchase anything over the internet" is not the answer.

  16. Jerome

    Screen shot

    "A similar bug also related to off-site CSSes allowed the eBay attacks to work flawlessly on IE browsers, as the above screenshot makes clear."

    It does? The screen shot that looks like a perfectly ordinary eBay page, you mean?

  17. Mark
    Coat

    Just get Opera

    Rarely have to worry about all this nonsense...

  18. Anonymous Coward
    Flame

    @Wortel

    "you are sadly mistaking (sic) about the browser not being at fault"

    What you mean is :

    "I did something stupid and the browser didn't fix it for me! Wah!"

    It is NOT the browser's fault that you have chosen to implement something which is inherently insecure. I sincerely hope you aren't a web developer, because I wouldn't want you working for me.

  19. Anonymous Coward
    Anonymous Coward

    (untitled)

    NoScript? Tools | Options | Content and disable javascript and java does the job.

    As for the idea that it's the site's problem, not the browser's, well maybe; but how am I to know which sites are and are not OK? EBay is obviously very dodgy anyway, but if I happen to visit a site where someone has screwed up I don't want my browser to put up any old stuff a scammer wants to show me, I want it blocked. If my current browser isn't up to the job then I'll look for another one - perhaps IE 8 (*gasp*) would do the job?

    I hope though that simply disabling javascript actually does the trick, it seems to be about the only attack vector at the moment. The downsides of no web apps and some fuckwit websites not working (or even appearing!) is pretty much liveable with - it's like the telly, you aren't missing much if you haven't got it.

    Can't buy things on the intertubes? Let them know you want to spend some money; who can afford to turn your business away? Mr website owner - "I'm sorry, but we aren't going to deal with you because haven't enabled javascript, kindly Foxtrot Oscar" - what serious shop is going to talk like that? The only people who need javascript are scammers.

  20. Anonymous Coward
    Anonymous Coward

    @Wayne Tavitt: not just the odd fuckwit website

    Unfortunately the problem is not an individual retailer, it's the credit card payment and validation process which needs the JS. You are missing a bit more than the telly.

  21. Charles
    Unhappy

    @wayne tavitt

    Too many sites REQUIRE the use of Java and ECMAScript *just to navigate* on their site--so disabling all Java and JavaScript means I'm going nowhere fast in a site where there is no alternative (say, the HP website where I get drivers for my HP devices). In that scenario, you NEED to be able to selectively say which sites to allow and which not to, which is where NoScript's selective allowances are essential.

    Now, to the question I wish to ask. Considering this was touted as a feature originally, IS THERE a scenario in which an external CSS is the ONLY option and therefore becomes a necessity for a web scenario?

  22. twunt

    wayne tavitt doesn't live in the real world

    Wayne - NoScript is a real world solution to the problem, unlike your solution which would render many sites unusable.

    you may not like it, but far better to have a secure solution (NoScript) that you can actually use rather than yours which would leave you unable to carry out most of the things many of us do online.

  23. Maty

    noscript

    NoScript is a tool, not a magic bullet. Like any tool you've got to know how and when to use it. And it works on a lot more than javascript - or do you think that flash is completely hazard free?

    Personally I have my browser set to warn me when cross-scripting happens on a site. If there's a legit reason for it (and it can be useful sometimes - for example in online games) then no prob. But when I'm looking at something like eBay and a cross-script warning comes up, that's a big red flag.

    Trouble is, there's too many inexperienced/ignorant users out there. We've pushed the idea that the internet can be used with no training or even background reading - just buy a computer, get hooked up and learn as you go along. That's how everyone does it, and we are still discovering how expensive that learning can be.

  24. Elrond Hubbard

    Ebay is Dead anyway.

    First I will bash eBay. (I used to LOVE eBay)

    The moment they got rid of Checks and Money orders, nobody in their right mind is going to attach their paypal account to a credit card. Especially in this economy. After the last few auctions finished, so was I with eBay.

    Now to bash Microsoft.

    Come on Microsoft, what's your problem? Your not even going to try to patch IE7? Just shove it off on webhosts? What if the webhost is EVIL? That's why everyone in the know kill bits your nonsense! Oh we could upgrade to IE8 and lose compatibility with our other proprietary nonsense, buy why would we want to? You better get with the program Microsoft before the economy turns on you next!!!

  25. Anonymous Coward
    Linux

    The backstory and better screenshots

    I'm the original reporter of the bug. There are (slightly) better screenshots from my encounter with it in the wild at http://cefn.com/blog/camper_van_firefox_bug.html

    Cefn Hoile http://cefn.com

  26. Pierre
    Gates Horns

    BWAHAHAHAHAHAHA!

    "Firefox security volunteers say they are in the process of patching the vulnerability. For their part, Microsoft officials say the exploits aren't the result of a vulnerability in IE but rather of websites that fail to properly protect against such attacks."

    Says it all really.

    Mozilla: OK, we're working on it, our browser will be patched soon

    MS: We don't give a shit, you paid already, get lost.

  27. Charles

    Re: Ebay is Dead anyway.

    The reason they got rid of checks and money order is because they allow for anonymity, which allows for fraud and money laundering on both ends of the deal. Sellers who demand MOs can cash them out, filch on the sale, and disappear without a trace. And bad buyers may use bad checks or phoney money orders which can come back to bite sellers in the butt. Credit cards at least have audit trails, means to petition for bad transactions, and fraud investigators who seek out disreputable users. IOW, they have a much-needed layer of security.

  28. Anonymous Coward
    Anonymous Coward

    @Wortel the monkey

    here's your peanuts. CSS is not a plain text file, it is served as text/css. See, this is the problem we have people without a clue thinking they know what is going on, Wortel is one of them.

  29. Wortel
    Flame

    @2 A.Cowards

    ==

    @Wortel

    By Anonymous Coward Posted Monday 9th March 2009 12:20 GMT

    Flame

    "you are sadly mistaking (sic) about the browser not being at fault"

    What you mean is :

    "I did something stupid and the browser didn't fix it for me! Wah!"

    It is NOT the browser's fault that you have chosen to implement something which is inherently insecure. I sincerely hope you aren't a web developer, because I wouldn't want you working for me.

    ==

    Thanks for proving my point with that reply.

    As a side note I did not claim the browser should 'fix' anything, I said "Failing to validate the source is not done in today's world.".

    An extension like NoScript allows the user a chance to validate the source before executing the content. This is a function that could be integrated into the browser itself, and would be a sane addition to the already in-place systems for checking the sources of remote images and cookies.

    As for not wanting me working for you, i'm quite content not working for your kind of narrow-minded Neanderthals.

    ==

    @Wortel the monkey

    By Anonymous Coward Posted Tuesday 10th March 2009 08:47 GMT

    here's your peanuts. CSS is not a plain text file, it is served as text/css. See, this is the problem we have people without a clue thinking they know what is going on, Wortel is one of them.

    ==

    I suppose I should thank you for trying to poison me then, as I am allergic to peanuts.

    While we are on the subject of ill-thought-through actions, let's address your reply.

    A style sheet has been and always will be a plain text file. The only thing you assume correctly is that it is -served- as text/css, but it is still the same plain text file after being transferred to the client. We call that description, 'text/css', a MIME type. You'll find it in Apache's server configuration if you know where to look. You do know where to look, do you?.

    You can easily reconfigure Apache to mark a different file as 'text/css' if you wanted. Do we do that? no, we don't. Do we want to? Maybe, in the future.

    It doesn't process the file in any other way, that's the job of the web browser.

    But I suppose you want to blame the webserver now for handing out style sheets? Go ahead.

    In a way I should thank you, for the ignorance of your kind like previous AC keeps people like me whom apparently are "people without a clue thinking they know what is going on" employed, paid and happy. Well scratch the happy part, supporting trolls like yourself should be rewarded with the keys to the armoury.

  30. Anonymous Coward
    Thumb Up

    All passing the buck!

    I notice everyone mentioned in the article declares that they themselves are not at fault, when they are patently ALL at fault!

    And Microsoft now comes in and has the article re-edited to its own whims?

    That is outrageous!

    Talking about IE bugs - I cannot update from IE6! And of course I cannot uninstall it either. That to me constitutes both a bug and a vulnerability.

This topic is closed for new posts.

Other stories you might like