Amazingly clever yet scary ebay scam using javascript
June 12th, 2007 | Posted in Bizarre | 45 Comments
Check out this sellers rating. Do you see 120? Now hit refresh, what did the figure change to?
Here are screenshots if the item is no longer available:
What buyers would normally see
What buyers would see momentarily after a refresh before the embedded javascript changes the rating value back up to 120 (first screenshot)
The javascript not only changes the sellers rating, it also points the sellers link to an actual seller with that rating. Amazingly, Ebay allows javascript to be embedded into templates thus allowing pages to be manipulated in this way. I have seen the offending piece of code which I was going to post but decided against for obvious reasons. I am astounded to think that there are no checks in place to prevent this from happening.
window.onload = function() { var is = document.images; for( var i = 0; i ‘; nodes[i].href = ‘http://feedback.ebay.com/ws/eBayISAPI.dll?ViewFeedback&userid=roblou457′; }; }; }
I don’t see the problem, at least not with this example. If a seller wants to kill his own score, who cares?
Leapin: He’s changing a 0 to a 120 to make the buyer believe that he has a reputation. If you click on his name, it shows how he has zero feedback.
I looked it up and ebay has a policy on this:
http://pages.ebay.co.uk/help/policies/listing-javascript.html
I’ve reported the listing and hopefully it’ll get taken down and banned.
They allow javascript so sellers can have those cheesy scrolling lists of items, I say they should just disable javascript altogether.
Kill his own score? He shows people a high score when they’re about to buy; if the transaction goes well, they leave positive feedback for him and his score goes up. If it doesn’t go well and they leave negative feedback…who cares? He’ll just show the next bloke someone else’s score and continue merrily on his way.
Umm, but he’s no “killing” his score. He’s improving it and thus defrauding potential buyers by making them believe he is a better seller than he (obviously) is.
You’re a sharp one, Leapin.
This odds-on means they are also vulnerable to a whole host of exploits. Why, with DOM control like that you could embed a nice little exploit page in a 1 by 1 iframe and compromise bidder’s PCs all day.
[...] clever yet scary ebay scam using javascript So I would assume to avoid this- shift-refresh?-MC Amazingly clever yet scary ebay scam using javascript: The javascript not only changes the sellers rating, it also points the sellers link to an actual [...]
How do you do the picture thing where it pops but not as a pop up? that is wicked cool.
I’m seeing what Leapin is seeing…the caption for “what buyers normally see” is under the picture of the 120 score, while the caption for “What buyers see after a momentary refresh” is under the picture with the 0 score. This would lead one to believe that he lowered his score, which obviously doesn’t make any sense.
Yeah, you’re right. I have changed the description slightly to make more sense.
So does that mean I can grab people’s eBay session cookies just by including a little JavaScript with my auction?
@Frank: He could do alot more than that. I talk a bit about XSS and some of the attacks that are possible on my blog - Dangers of XSS
[...] June 12th, 2007 [link][more] [...]
eBay could easily prevent this by registering their own onload event just before the closing body tag.
Anton,
If they did that, you could then use attachEvent to add multiple event handlers to the window - window.attachEvent(”onload”,myFunction).
eBay does do a lot to prevent javascript trickery by manipulating the javascript calls. And people keep finding ways around it. eBay just has to keep building a better mousetrap.
They would be better of to not allow javascript, and instead provide some “widget” for doing the scrolling product listing… but who knows, maybe they have some great reason for it.
-Chris
Hi,
I saw the 120 and the 0 after the refresh. A second refresh and now ebay apparently took the item down - now I get an “Invalid Item” page. That was at about 1:23 am (CEST) on June 13th.
Regards…
Michael
Amazingly clever yet scary ebay scam using javascript…
This story has been submitted to Stirrdup. If it can generate enough interest, it will make it to the main page….
[...] Ebay ürün listelemesinde javascript kullanılmasına izin veriyor. Ve bakın bu nasıl kullanılabiliyor. [...]
Man that really is scary. Just wait for someone to pump some code in there to manipulate the dom enough so that an entire fake website is produced in place of the official eBay site.
That’s an unbelievable flaw - I can’t believe it exists!
I inferred that Leapin was (sarcastically) wondering why on earth anyone would want to have an eBay score as low as 120.
I guess when you’re a 0, 120 must seem so very far away.
Let us know when you get to 4 places, let alone 5…
B*
It’s funny that nobody has noticed that he supposedly had 120 feedback when he signed up on the 11th of June. Now that’s impressive!
Forget changing seller’s rating. He could do a hostile redirection when they go to bid, capturing their ebay information / credit card numbers
But why would he want his score to look lower?
Leapin, what the hell? Read the article again!
[...] ebay scam using javascript. [...]
how do you idiots not see what’s going on. a new user puts up 50 auctions of JUNK or DEFECTIVE items, or hell, with this it could be a pure scam. you bid, you win, you pay and the seller is gone. closes the account and opens another one with a different name. better yet, he can just redirect his feedback to look like he’s reliable.
It seems that smrt is venting his frustration for not being able to understand or contribute to this thread. Insecure much, smrt?
Using XSS for things like this will probably become more and more common. T’is scary!
Jen - it’s using the lightbox plugin for the photos.
This is interesting, if they can use javascript couldn’t someone just float an entire div to cover over that part of the site?
Despite Ebays claims that they have filters in place. It seems that they aren’t working, in which case you can pretty much do anything javascript will allow you to do.
We had one of these listings removed from the eBay UK site yesterday. The key points are that the code
1) displayed a false PowerSeller logo
2) displayed a false PayPal protection logo
3) showed an incorrect FB number and linked to someone else’s good FB page.
To a typical buyer it looked as though they were buying from a reliable (100% feedback) private seller - in fact, the scammer was being quite clever in not “borrowing” a massive feedback. He stole the listing text from a previous successful sale and, likewise, just wanted to look like “one of the crowd” - a normal enthusiast seller.
Bizarelly, according to http://www.theinquirer.net/default.aspx?article=13741
This is Ebays official response with regards to this exploit:
Its official, the company is being run by idiots. :)
I can’t believe leapin is so freaking thick.
Leapin you drongo - the now NARU seller on the screengrabs set his page up with a javascript code so that he GOT 120 feedback, a Powerseller Logo AND Paypal buyer protection when in fact his score was zero.
That isn’t decreasing your feedback you braindead muppet - it’s increasing it - you know 120 is higher than zero.
Leapin
Do you want to buy a few 1887-CC morgan dollars?
[...] Amazingly clever yet scary ebay scam using javascript By Fiaz Check out this sellers rating. Do you see 120? Now hit refresh, what did the figure change to? Here are screenshots if the item is no longer available:. Normal View What buyers would normally see. Refresh View … digg_url=’http://scam.palconit.com/archives/scam-related-news-06132007.scam’; digg_skin = ‘button’; digg_bgcolor = ‘#FFFFFF’; digg_title = ‘Scam Related News (06/13/2007)’; digg_bodytext = ”; digg_topic = ”; Powered by Gregarious (42) Share This [...]
To EBUY MANAGMEND. Dont use java script :)
Surely this will only harm the seller in the long run when people see what has been going on.
[...] can be gamed to artificially inflate its positive feedback number? This happened on eBay.co.uk, I learned about this and wrote a short blog post for the Security [...]
Okay I have a lot to say on this. One person asked how the owner of this site does a popup when images are clicked that insn’t actually a popup…. It’s a javascript program called Lightbox. There is also Lightbox 2.0 and Lightbox EX and a couple other versions.
Also, Ebay doesn’t allow a lot of different javascript code. You can’t include a javascript from another site being one of them. I’ve been trying to make my page look better via some javascript. Interestingly enough when I try to use DOM to use the Lightbox program I just told you about… my DOM doesn’t work, it’s there, in the page, looks right and everything, but it just doesn’t do anything. So maybe eBay found a way to completely disable DOM???
As for another persons response about someone throwing an entire div over everything on the eBay page, essentially making a completely different page. That wouldn’t work. Z-Index’s do not work and therefor even if you were to throw a large div on top of everything, anything eBay had a z-index on would show up over top…
Sorry for those of you that don’t understand javascript and css, that might all seem a little deep but relevent to the few questions I was answering.
For those of you that like to do visual design to your eBay adds, it’s nice to have the javascript ability.
Now given I’m not going to use DOM for hijacking anything on ebay because I have high ratings already and I have a store on ebay which I plan to keep. All I do is sell coins (Amusing since dude above made a post under the name “Coinscams” asking idiot boy to buy some morgans lol).
But seeing as there is a way to get DOM working and I’m just missing some little mistake in my code. There are many things that someone could do.
As a developer and someone who got in trouble for changing prices on very large corporation websites before buying products. I can tell you right now there is probably a very large exploit in the payment system. If the user can use javascript in it they could add a seller charge at the last moment of $30 or whatever they want. Assuming the buyer doesn’t notice they would get an extra $30, even if the buyer did notice, they wouldn’t have a choice but to pay the extra $30 because they wouldn’t have a clue why the price was wrong. If they didn’t pay they would get in trouble with ebay for failure to pay for an item….
Firstly can I say that this blog has been well worth reading if only for the chuckle at Leapins superior knowledge on the subject.
Secondly…. WOW!!… This is all quite shocking… especially ebay’s answer!! Thing is tho - even if the con man conned a few thousand $’s or £’s wouldn’t it be EASY for ebay (or the authorities) to prove it was a con and press charges for fraud or something?? All the money is traceable because it will go through Paypal and into a bank account etc yes???
Or at least eventually Paypal would block the guy from using their services wouldn’t they???
Lmao… agreed on idiot boys comments.
We do alot of ebay transactions so this is concerning. If we simply refresh a listing does it always show the correct rating, etc? Or does refresh not always work. This is very sneaky!
You’d have to turn javascript off to see the correct rating.. otherwise it will only show the true rating for a fraction of a second.