Marketplace
Ok, so I noticed today that ebay's website is unsecure and this includes My Account page.
Anyone else have that issue?
I'm paranoid!!
Tried looking at how I can contact ebay and there is no way to contact them regarding this!
Why is eBay's website unsecure!
Bilbo Bargains on 22/03/2017 - 20:45
Last edited 22/03/2017 - 23:41 by 1 other user
Last edited 22/03/2017 - 23:41 by 1 other user
Related Stores
Comments
That wouldn't/shouldn't fix the problem.
Https everywhere can only give you https if the website actually provides an https version. eBay only allows https for personal pages (which are not https by default, as OP mentioned), but not the homepage, which opens the door to man-in-the-middle attacks.
Note that I'm not paranoid but just want the facts presented. Before I started using packet sniffers and "trusted" certificates for development work I never would have guessed how effortless it was to steal information. It's amazing how people are worried about their own government getting their metadata but they'll trust a shadowy VPN across the world who pinky swears they don't keep logs.
I noticed the sign in page and Shopping cart appear to be secure, but other sections of the website appear insecure
The good news is it has been this way forever. The bad news is that it has been this way forever…
People have been asking for years why eBay of all sites would not make the transition to https://. Some of the theories were posted years ago but I've never found a conclusive answer (https://security.stackexchange.com/questions/53250/why-do-so…). It's generally assumed to be a cost-saving measure achieved via SSL-free caching.
The excuse that log-in pages are encrypted doesn't fly, and we have history to teach us that lesson. Most major websites used to think the same way, and then the Tunisian government used this flaw to hack people's Facebook accounts and steal log-in details. Any invasive government or ISP with minimal IT capabilities can perform a man-in-the-middle attack to serve a false non-encrypted page that collects information and sends it to a spying database. From memory, the Tunisian government actually made use of innocent looking fake GET requests to Google.
Popular websites have more responsibility since hackers are going to chose a popular website to phish. Not some cooking blog.
Phishing has nothing to do with man in the middle attacks.
I wish people would devote more time to things that actually mattered. For example the Australian gummints has legislated that every citizen of this country be spied upon by having all metadata that is generated by using the internet effectively making Australia a polikce state.
And yet we're having ludicrous discussions about locking down eBay instead of discussing Australia being a police state. The gummints don't care about your ebay mang.
I couldn't tell if the first sentence was sarcastic but I'm pretty sure MITM attacks to obtain personal information (bank account details, logins etc) is a pretty good example of a phishing attack. If you weren't being sarcastic then I'll assume you were expecting e-mails or instant messaging to be involved, which isn't the case.
But anyways…it's true that in the end you don't control your information if you don't control all of your infrastructure and communication channels. Anything else is a fragile illusion. Privacy "laws" mean absolutely nothing if an authoritarian government/gummint takes over and uses its powers for evil.
A phishing attack is tricking the user into voluntarily divulging information. A MITM Attack is more intercepting information between the client and the host without their knowledge and typically with the ability to alter or inject information.
Basically Alice and Bob want to have a private conversation. They know that people can listen in but they don't mind so long as no one can make sense of what they are saying. They decide to encrypt their conversation using a symmetric key cipher. To do this they must exchange keys with no prior knowledge of a shared secret and over an insecure channel. The Diffie-Hellman key exchange provides a means to exchange keys under these conditions so they go ahead and exchange keys so as to encrypt further talk. They are using a 512 bit key and here is where they come undone. Chuck decides to listen in to Alice and Bob's conversation because he knows they are talking about him. He makes use of logjam, an exploit in the Deffie-Hellman exchange that allows him to derive the keys used to encrypt the conversation. Chuck is now able to launch a MITM Attack by intercepting the conversation and manipulating it before forwarding it on the the intended destination.
Alice and Bob are none the wiser as they placed all trust in their encryption and no additional validation/verification occurs. For all intents and purposes, Alice and Bob believe the information they are receiving has come directly from the other participant unadulterated when, in fact, Chuck is able to read, write and modify messages both ways.
@kywst: So you're saying that if a man-in-the-middle attack is used to inject javascript in a page for the purpose of extracting a user's password then it's not considered phishing?
Note I'm not being sarcastic, I honestly don't see restrictions in the usage of the word "phishing" in this context but perhaps there is an official stance I'm unaware of. Please share a reference if available.
Wikipedia's entry for phishing produces this: "A Universal Man-in-the-middle (MITM) Phishing Kit, discovered in 2007, provides a simple-to-use interface that allows a phisher to convincingly reproduce websites and capture log-in details entered at the fake site."
And here's a journalist's take on the Tunisian hacking story I mentioned above: http://news.softpedia.com/news/Government-Run-Countrywide-Ph…
In the text: "Because it takes place on the real mail.google.com address, this phishing attack clearly has the potential to trick a lot of users, but there's even more." and "This is clearly a man-in-the-middle attack which involves hijacking traffic in real time at ISP level."
Please note that I understand the complexities of various man-in-the-middle attacks as a web developer (I perform them on my own websites for debugging) but I'm no wordsmith. So I can be convinced if you show me some official statement from some fancy-pants organisation :)
@peterpeterpumpkin: Semantics at play. A MITM is more. XSS is the injection of malicious client side scripts. This differs as the client is compromised but the host isn't necessarily. In a phishing attack the interceptor probably has no interest in passing data on to the intended destination; much like the Tunisian article states that users received:
"Notice: Undefined index: Passwd in C:\Program Files\EasyPHP5.3.0\www\ServiceLoginAuthservicemai.php on line 57."
You can see that while the client was "compromised" the host wasn't actually affected.
@kywst: Cool. As long you understand it's just semantics. Sometimes I forget OzBargain isn't a tech website and I end up feeding the trolls.
@peterpeterpumpkin: All good but still a MITM attack is generally understood to mean the man in the middle isn't compromised meaning it doesn't rely on user weakness at some point. At least a successful one :)
Alice and Bob are none the wiser as they placed all trust in their encryption and no additional validation/verification occurs. For all intents and purposes, Alice and Bob believe the information they are receiving has come directly from the other participant unadulterated when, in fact, Chuck is able to read, write and modify messages both ways.
@kywst: After having some lunch and dealing with this almighty hangover … a simpler explanation made itself apparent to me.
A phishing attack typically:
- relies on user weakness.
- compromises the client.
A MITM attack typically:
- exploits vulnerabilities in protocol / code.
- compromises both the client and the host.
- maintains anonymity (presence) of the attacker.
So we can conclude the Tunisian example was a phishing attack and not a true MITM attack because:
- The host wasn't compromised.
- There was no "middle" ground as the destination was changed a mock page by the attacker.
- The attackers presence was bought to light by the error message.
- There was no evidence to suggest that a protocol / code vulnerability was exploited (during the attack itself, not the setup to the attack as clearly something was exploited to redirect the traffic in the first place).
Yes there's something very wrong with eBay, people's accounts are taken over all the time and scammers buy digital content with their accounts and urge the buyer to send ASAP before the account owner regains control.
How do they pay? There is another complex password at Paypal then an sms 2FA authentication at Paypal to go, even if they have complete control of your ebay account.
ok