All attempts to contact ebay about this issue/vulnerability through publicised channels proved to be in vain as I got no decent response or action on any of them, so I’m publicising it here in the hope someone who can actually get hold of ebay will let them know. I’m not going to give precise details of the exploit so that anyone could do it, but I’m going to provide enough details so that the risk is made clear to anyone with half a brain (which, judging by the responses I got from ebay staff, they don’t have).
We’ve all heard of spoof e-mails with a link to a fake site that looks like ebay in an attempt to grab peoples ebay logins, but imagine if it was possible to send a link out to people in an e-mail or ebay message that did exactly the same but where the link actually was based at the ebay.com domain. You’ve guessed it, it is in fact possible to do just that.
In various places around the eBay website there are redirects in place, that is to say some code behind the scenes checks to see if a number of things are true before allowing a user to visit a particular page or group of pages and if they are not, redirect a user to another page on eBay first. A truely secure site would ensure that the URL to redirect to was one from inside the eBay domain, but it doesn’t. In fact it allows you to place any link there at all.
What this means is that if a suitable redirect is chosen and a spoof website link is placed in as a part of it, you can send people links in the eBay message system that look to be to a location on the eBay site because of how the URLs start. If the message implies a user may have to sign-in again, the user may not even think its suspicious that the login screen comes up, indeed even if the message didn’t say you would need to login, you need to do it so frequently on the site anyway they would probably still get away with it.
Now while this doesn’t mean every person would fall for it, it certainly makes it more likely you would, especially if you were in a hurry. So what can we do about it? All of you reading this, send a message to eBay. At the very least it will increase their mail volumes which will make me feel better considering how they ignored me, and at best they will finally see that something is wrong. Failing that, just don’t fall victim to this one yourselves! If you see a login screen on eBay check the URL every single time to make sure its legit, even if the link you just clicked on was legit!
For those wondering if I fell for this, no, I didn’t, in fact I don’t believe its being properly exploited yet. I discovered this by somone sending me a legitimate link where they had mistyped the redirect part of the URL and I noticed the potential for damage when I clicked on the malformed link and ended up outside of eBay.