Feeds

back to article eBay scammers work unpatched weaknesses in Firefox, IE

eBay scammers have been exploiting unpatched weaknesses in the Firefox and Internet Explorer browsers to deliver counterfeit pages that try to dupe people surfing the online auction house to bid on fraudulent listings. The attacks managed to inject eBay pages with hostile code by exploiting issues long known to afflict Firefox …

COMMENTS

This topic is closed for new posts.
Stop

It seems to me

that the browsers are not doing anything wrong. These are not browser vulnerabilities. It isn't the browser's job to make sure you secure your webshite (sic).

Do you blame your brain for reading when somebody writes something badly in a book? Of course not - you blame the writer.

It's the slipshod site design that needs looking at.

0
0
JC
Paris Hilton

This is a real risk?

Who bids on something that reads "Email the seller to buy this item"?

If it walks like a duck and quacks like a duck...

0
0
Stop

NoScript

I am a long time Firefox user and have always used the NoScript plugin. Like the site says: "Experts will agree: Firefox is really safer with NoScript!"

I think it should be included with every Firefox download.

Plus, you'd have to be a right stupid, gullable idiot to click the "Email the seller to buy this item" link.

Its obviously a scam!

0
0
Stop

External CSS

Does anyone actually believe this is a good idea and should be used or allowed? Whoever controls the css file (e.g. a cracker who gained access to a legitimate site) has the ability to inject almost arbitrary code into any web page that uses it. It's almost as bad an idea as letting untrusted third parties provide banner ads.

0
0
Tom
Silver badge

So whats happening here?

Its not a problem with browsers but FF people are trying to provide a solution and MS are applying the SEP field to it?

0
0
Anonymous Coward

It is the site's fault

If they allow arbitrary code to be delivered, they are delivering arbitrary code to the user.

Pay peanuts get monkeys, that is what has been happening on the web for a good few years.

0
0
Silver badge

Email seller

Quite a few people might be all confused by this ebay thing and would rather email the user and might even like the idea that they can email the seller for back up.

This is only a stupid thing to do if you know that. Joe Unwashed won't know that. I wouldn't know that and I'm reasonably savvy (C programmer etc, but not an IT monkey).

Perhaps the browser isn't broken (just doing what the code told it) and maybe the website isn't broken either (the website is also just doing what the content provider said it should: serve up some bytes). Clearly it is the malicious programmer that is broken. Just like any antisocials or criminals you won't protect against those unless you clamp down on various potential features.

0
0
Bronze badge
Thumb Down

Tricky

"Firefox security volunteers say they are in the process of patching the vulnerability. For their part, Microsoft officials say the exploits aren't the result of a vulnerability in IE but rather of websites that fail to properly protect against such attacks."

It may not be a browser problem, but at least Mozilla are taking some responsibility and are trying try to help out unlike MS who with all their bluff about giving more secure environment for the user to enjoy the internet, obviously can't be arsed!

Yes it was dark when I was driving, yes the lights were working and clean but they were not bright enough, so someone hit me. Now who's problem is that? Mine 'cos I went out in the dark or the car manufacturer for not making the lights bright enough for everyone to see correctly in certain conditions?

0
0

A little unfair

This article is a little unfair. These are not browser vulnerabilities, but holes in a specific web application (which doesn't exactly have a gleaming security record).

Also, I whole-heartedly agree with the next post, below this one.

0
0

Firefox patching?

What are Firefox patching?

Are Firefox going to block all XSS forever? That's a little extreme. Perhaps making it a security option turned off by default would be enough but I wonder how many sites use script from other domains?

If it's common enough any security option will just be ignored after the umpteenth warning.

0
0
Gates Halo

Where have they all gone?

So much for all the whining about the "insecure m$ HTML rendering engine" we saw in the piece covering IE8 a few days ago - IE8 is the only browser mentioned here which is *not* affected by the attack.

Having said that, I've been running FF with NoScript for years, and it's notable that the Mozilla dev team seems to be the only one actually doing something to fix this rather than bleating and pointing fingers.

0
0
N

No Script

Agreed, AC its a good extension for FF

& if the price is too good to be true, then it probably is (a scam) Unfortunately theres way too many rogues out there & Ebay should clean up their act.

0
0

XSS

Yet more XSS weakness: when will web designers stop using XSS except where utterly necessary? I use Opera to browse / buy on eBay, but due to my (proper) security settings there, have to switch to IE when it comes to actually paying. A little IE for a known task is safer than a lot of IE I hope.

0
0
Pirate

Heh

So where's the noob AC who commented last week about being sick of the updates issued to Firefox? come on, where are you now?

As for the other AC, you are sadly mistaking about the browser not being at fault. CSS is not something that just 'runs' on it's own accord, it is a plain text file downloaded and interpreted by the web browser.

Failing to validate the source is not done in today's world.

It should offer protection to it's user, and the AC proposing NoScript should be shipped with Firefox by default has the right idea.

0
0
Bronze badge
Unhappy

NoScript isn't a panacea

It makes things very awkward. I'm trying to cancel a double order which I made last night as the result of not unblocking some third party's script. The payment system returned me to the retailer's website, which claimed to have no trace of my order (and I had received no emails) so I entered it again and when I successfully paid for it (by allowing this script), I got two confirmation emails for two identical orders with different order numbers.

Until sites expect you to have JavaScript disabled, NoScript is a bit of a minefield I'm afraid. And no, "don't purchase anything over the internet" is not the answer.

0
0

Screen shot

"A similar bug also related to off-site CSSes allowed the eBay attacks to work flawlessly on IE browsers, as the above screenshot makes clear."

It does? The screen shot that looks like a perfectly ordinary eBay page, you mean?

0
0
Coat

Just get Opera

Rarely have to worry about all this nonsense...

0
0
Flame

@Wortel

"you are sadly mistaking (sic) about the browser not being at fault"

What you mean is :

"I did something stupid and the browser didn't fix it for me! Wah!"

It is NOT the browser's fault that you have chosen to implement something which is inherently insecure. I sincerely hope you aren't a web developer, because I wouldn't want you working for me.

0
0
Anonymous Coward

(untitled)

NoScript? Tools | Options | Content and disable javascript and java does the job.

As for the idea that it's the site's problem, not the browser's, well maybe; but how am I to know which sites are and are not OK? EBay is obviously very dodgy anyway, but if I happen to visit a site where someone has screwed up I don't want my browser to put up any old stuff a scammer wants to show me, I want it blocked. If my current browser isn't up to the job then I'll look for another one - perhaps IE 8 (*gasp*) would do the job?

I hope though that simply disabling javascript actually does the trick, it seems to be about the only attack vector at the moment. The downsides of no web apps and some fuckwit websites not working (or even appearing!) is pretty much liveable with - it's like the telly, you aren't missing much if you haven't got it.

Can't buy things on the intertubes? Let them know you want to spend some money; who can afford to turn your business away? Mr website owner - "I'm sorry, but we aren't going to deal with you because haven't enabled javascript, kindly Foxtrot Oscar" - what serious shop is going to talk like that? The only people who need javascript are scammers.

0
0
Bronze badge
Anonymous Coward

@Wayne Tavitt: not just the odd fuckwit website

Unfortunately the problem is not an individual retailer, it's the credit card payment and validation process which needs the JS. You are missing a bit more than the telly.

0
0
Silver badge
Unhappy

@wayne tavitt

Too many sites REQUIRE the use of Java and ECMAScript *just to navigate* on their site--so disabling all Java and JavaScript means I'm going nowhere fast in a site where there is no alternative (say, the HP website where I get drivers for my HP devices). In that scenario, you NEED to be able to selectively say which sites to allow and which not to, which is where NoScript's selective allowances are essential.

Now, to the question I wish to ask. Considering this was touted as a feature originally, IS THERE a scenario in which an external CSS is the ONLY option and therefore becomes a necessity for a web scenario?

0
0

wayne tavitt doesn't live in the real world

Wayne - NoScript is a real world solution to the problem, unlike your solution which would render many sites unusable.

you may not like it, but far better to have a secure solution (NoScript) that you can actually use rather than yours which would leave you unable to carry out most of the things many of us do online.

0
0

noscript

NoScript is a tool, not a magic bullet. Like any tool you've got to know how and when to use it. And it works on a lot more than javascript - or do you think that flash is completely hazard free?

Personally I have my browser set to warn me when cross-scripting happens on a site. If there's a legit reason for it (and it can be useful sometimes - for example in online games) then no prob. But when I'm looking at something like eBay and a cross-script warning comes up, that's a big red flag.

Trouble is, there's too many inexperienced/ignorant users out there. We've pushed the idea that the internet can be used with no training or even background reading - just buy a computer, get hooked up and learn as you go along. That's how everyone does it, and we are still discovering how expensive that learning can be.

0
0

Ebay is Dead anyway.

First I will bash eBay. (I used to LOVE eBay)

The moment they got rid of Checks and Money orders, nobody in their right mind is going to attach their paypal account to a credit card. Especially in this economy. After the last few auctions finished, so was I with eBay.

Now to bash Microsoft.

Come on Microsoft, what's your problem? Your not even going to try to patch IE7? Just shove it off on webhosts? What if the webhost is EVIL? That's why everyone in the know kill bits your nonsense! Oh we could upgrade to IE8 and lose compatibility with our other proprietary nonsense, buy why would we want to? You better get with the program Microsoft before the economy turns on you next!!!

0
0
Linux

The backstory and better screenshots

I'm the original reporter of the bug. There are (slightly) better screenshots from my encounter with it in the wild at http://cefn.com/blog/camper_van_firefox_bug.html

Cefn Hoile http://cefn.com

0
0
Silver badge
Gates Horns

BWAHAHAHAHAHAHA!

"Firefox security volunteers say they are in the process of patching the vulnerability. For their part, Microsoft officials say the exploits aren't the result of a vulnerability in IE but rather of websites that fail to properly protect against such attacks."

Says it all really.

Mozilla: OK, we're working on it, our browser will be patched soon

MS: We don't give a shit, you paid already, get lost.

0
0
Silver badge

Re: Ebay is Dead anyway.

The reason they got rid of checks and money order is because they allow for anonymity, which allows for fraud and money laundering on both ends of the deal. Sellers who demand MOs can cash them out, filch on the sale, and disappear without a trace. And bad buyers may use bad checks or phoney money orders which can come back to bite sellers in the butt. Credit cards at least have audit trails, means to petition for bad transactions, and fraud investigators who seek out disreputable users. IOW, they have a much-needed layer of security.

0
0
Anonymous Coward

@Wortel the monkey

here's your peanuts. CSS is not a plain text file, it is served as text/css. See, this is the problem we have people without a clue thinking they know what is going on, Wortel is one of them.

0
0
Flame

@2 A.Cowards

==

@Wortel

By Anonymous Coward Posted Monday 9th March 2009 12:20 GMT

Flame

"you are sadly mistaking (sic) about the browser not being at fault"

What you mean is :

"I did something stupid and the browser didn't fix it for me! Wah!"

It is NOT the browser's fault that you have chosen to implement something which is inherently insecure. I sincerely hope you aren't a web developer, because I wouldn't want you working for me.

==

Thanks for proving my point with that reply.

As a side note I did not claim the browser should 'fix' anything, I said "Failing to validate the source is not done in today's world.".

An extension like NoScript allows the user a chance to validate the source before executing the content. This is a function that could be integrated into the browser itself, and would be a sane addition to the already in-place systems for checking the sources of remote images and cookies.

As for not wanting me working for you, i'm quite content not working for your kind of narrow-minded Neanderthals.

==

@Wortel the monkey

By Anonymous Coward Posted Tuesday 10th March 2009 08:47 GMT

here's your peanuts. CSS is not a plain text file, it is served as text/css. See, this is the problem we have people without a clue thinking they know what is going on, Wortel is one of them.

==

I suppose I should thank you for trying to poison me then, as I am allergic to peanuts.

While we are on the subject of ill-thought-through actions, let's address your reply.

A style sheet has been and always will be a plain text file. The only thing you assume correctly is that it is -served- as text/css, but it is still the same plain text file after being transferred to the client. We call that description, 'text/css', a MIME type. You'll find it in Apache's server configuration if you know where to look. You do know where to look, do you?.

You can easily reconfigure Apache to mark a different file as 'text/css' if you wanted. Do we do that? no, we don't. Do we want to? Maybe, in the future.

It doesn't process the file in any other way, that's the job of the web browser.

But I suppose you want to blame the webserver now for handing out style sheets? Go ahead.

In a way I should thank you, for the ignorance of your kind like previous AC keeps people like me whom apparently are "people without a clue thinking they know what is going on" employed, paid and happy. Well scratch the happy part, supporting trolls like yourself should be rewarded with the keys to the armoury.

0
0
Thumb Up

All passing the buck!

I notice everyone mentioned in the article declares that they themselves are not at fault, when they are patently ALL at fault!

And Microsoft now comes in and has the article re-edited to its own whims?

That is outrageous!

Talking about IE bugs - I cannot update from IE6! And of course I cannot uninstall it either. That to me constitutes both a bug and a vulnerability.

0
0
This topic is closed for new posts.