Gone phishing with eBay

*sigh*

Why do PR people insist on telling such blatant lies?

It's pretty obvious that they have no system, otherwise the listing would not exist. They just rely on people telling them.

Incidentally, you needn't have blanked out the user's ID, because the images you posted are pretty illegible anyway...

PS While I'm here, a couple of points about the comments section.

1) ever since you changed it recently, my browser is unable to remember my login details

2) it would be really useful if the story was still visible at the top of the comments page

XSS

...the most likely explanation.

There's obviously no auto checking

Or it would pick up things like this:

http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=330123592619

Check who has made purchases for a real shocker.

xxs flaw recorded on video

Where have you been? That porn redirect, in various forms, has been present on ebay, and documented since around october or november of 2006.

look on a movie and photo hosting site called hidebehind, for movie with file name 46C8A8, there you will see a live naked lady redirect xxs auction from/on ebay, with the redirect and all, on Firefox browser 2.003

please note the above site is an adult site. If nudity and/or porn offends you do not visit or look for it.

That XSS flaw has been unrepaired and unacknowledged for at least over 1 whole year, possibly longer. (see US-CERT Vulnerability Note VU#808921)

Nice report -- almost

"Thirdly, it took eBay at least two hours to respond to this after it was reported."

Not true. According to your timeline, you reported it at 21:54 and the listings were gone at 00:15. That's 2:19 to COMPLETE a response, not to begin responding.

"Do you consider this to be moving “quickly”?" That depends. How many fraudulent listings were there? If there were only the dozen or so you showed, that's one thing. But if there were thousands or millions*, the picture looks different.

I remember when I was in college, and our primary T1 went down. We had a backup 56k line, so the connection didn't die, but everything slowed down. I did a traceroute and the numbers were in the 2000 to 3000 range. That really pissed me off until I recalled that those figures were milliseconds. Perspective restored, I sat back and waited the 2-3 seconds.

I'd take 2-3 hours response time over the days it takes credit card companies to verify fraud or the months it takes some companies to even admit they had a breach of any kind.

Well, duh !

Who would of thought that clicking on a link that advertises an expensive product, for a ridiculously low sum, illustrated with a half naked woman, would be a risky thing to do !

I have a great story about clicking on links on porn sites if you're interested - ends up much the same way. Only trouble is the story is about 10 years old now.

I spotted one of these last week.

A very similar setup, on an ad for a VW camper. I reported it to eBay straight away, but they didn't seem to understand what was wrong:

--

Thank you for your email. I understand your concern at the listing for a

1965 Volkswagen (item: 200111255407).

However, while we're always happy to help you, we can't tell from your

email what exactly your inquiry is. Please write back with more details

about your query or problem and any information you feel is important to

help us solve it.

We look forward to receiving your reply and helping you in any way that

we can.

--

I had to spell out in words of one syllable what was wrong with the auction, and why this was a bad thing before they figured it out.....

Re. Well Duh.

>Who would of thought that clicking on a link that advertises an expensive product, for a ridiculously low sum, illustrated with a half naked woman, would be a risky thing to do !

I think that was why the author added the comment about it being the lister's daughter. I think, in his own English way, he was making the point that this DID look risky; which was presumably why he followed it.

The point isn't really about whether it looked suspicious, the point is that eBay is allowing this sort of redirect from its site.

THERE'S WORSE...

A while ago ebay contacted me saying my account was hijacked and there was a $10,000 bid under my account for a used car engine. After all the headache of resetting account, changing passwords, etc. I spoke to an ebay representative asking how my account could have possibly been hijacked and the answer was that ebay allows any kind of HTML code on their auctions because they don't feel sellers should be restricted when creating a web page so I could be on ebay one second and on a scam site the next. The only solution therefore, according to them, was to use ebay Toolbar (which only works on IE, I use Firefox).

EBAY KNOWS THEIR SITE IS WEAK AND YET THEY DON'T DO ANYTHING ABOUT IT!

UNBELIEVABLE!

Listing freedom

Really isn't worth it. Sure they should have some nice bbcode to put some images in but full HTML support? Who cares about flashy pages, all we want is an item.

PS They all look sh*te anyway.

Not eBay's fault

It's not really eBay's fault.

Let's suppose someone designed a car in such a way as to make it possible for somebody (ostensibly, only the manufacturer and then only in certain circumstances, although it's widely known -- though the car manufacturer strenuously deny this -- to be open to abuse) remotely to take over the steering, the pedals, the gears and the ignition.

Furthermore, this car isn't sold to buyers in the usual way. It's given away gratis when you buy a bundle including a year's insurance policy, a year's worth of fuel and some accessories. The car manufacturer is also suspected of applying illegal pressure to insurance providers and fuel companies to dissuade them from insuring or gassing up any other makes of car, but the evidence always goes missing at the last minute (just before the senior investigating officer wins the lottery and retires to the sun, or has a nasty but improbable accident).

As a result of this aggressive marketing technique, this car is the most popular model on the roads. The newest model is even fitted with a much-touted device to warn you if it detects someone trying to take over the controls; however, this is not 100% reliable and never can be, since the warning device itself can, by design, be overridden by the manufacturer (or anyone else who knows how to pretend to be the manufacturer -- who, of course, vehemently deny that this is possible).

Now, someone drives to town in their free-but-hopelessly-insecure car to go shopping at Woolworth's; but finds their car being redirected to some other store instead.

Is that really Woolworths' fault, for being a popular destination for shoppers driving insecure-by-design cars?

Infection Detected.

The author claims, "So, it could be malicious code on the PC but both David and I would have to be infected in the same way; possible, but unlikely." but it's not true. He's already identified himself as a Windows user. The chances his friend is also a Windows user is about 80%.

Shocking

I love some analogies that people come up with. The one above by A J Stiles goes to the top of the list as the biggest pile of rubbish I have heard for a long time.

EBay have got full control over the HTML that is generated by their site, so if dodgy JavaScript/html/etc appears on their site it is totally their fault.

It is simple enough to remove all html tags apart from simple formatting ones. Okay there is still the opportunity for suspect remote images to be loaded onto the site, but hopefully there shouldn't be any further problems like the wmf issue.

Of course EBay will never admit the failings, but hopefully they will fix these problems behind the scenes.

eBay sucks

I'm not surprised at all...

A few months ago someone tried to buy my brand new spare mobile phone. He'd registered that day, and had zero feedback, so I was a bit suspicious.

On checking the guy's details, his postcode didn't exist. I complained to eBay about this, and they refused to cancel his account and bid, leaving me in limbo for 7 days before I could file a "non payment" report. Then, they insisted I try ringing the bidder, using a mechanism built into the site that revealed both the buyer and seller's registered phone numbers to both parties. The phone number was a fake also. The buyer's account was never cancelled by eBay.

eBay are threatening me with court action for not paying their listing fees. I say, bring it on. Talk about not fulfilling their duty of care in the prevention of fraud...

Why could a big corporation such as eBay not make the following checks mandatory on all new accounts:

1. VALID postcode for the country in question, that matches the specified address.

2. Text message verification of the primary phone number entered - given that if you text a UK landline, Tom Baker will read the text for you anyway!?

DON'T PAY STU!!!!

In my experience Ebay are very slow to act against fraudsters, slow to help provide information (despite the privacy policy now saying they'll give all your details to "other third parties") and slow to suspend accounts.

You're providing a service to Ebay by drawing their attention to this crook.

If you don't tell eBay they never know

Their *automated* sytem involves a minimum of 2 people complaining and then a person/trained monkey looks at the auction and tossing a coin to decide wether they should pull it (and lose income) or let it run at let some poor schmuck be conned and if they then complain hope that they paid with cash/Western Union and therefore don't need to care.

Oh, am I sounding cynical?