posted on September 19, 2000 06:15:33 PM
I use a service called Humanclick in my auctions. It's a handy little tool that allows customers to chat with you online directly from your auction page.
One of the bits of information that the Humanclick screen provides is the "referrer" -- the page that contains the link that visitors used to get to your auction.
Except that where I've insterted userid it actually had the viewer's ID.
Notice the next item in this string: pass
I was curious, so I went to My Ebay and then to one of my auctions. The Humanclick referrer showed a string similar to the one above, but with my ID.
I copied down the line (you can't cut and paste from the Humanclick screen) and put it in my browser's address box. Sure enough, it brought up my "My Ebay" page.
So I had a friend do the same thing. Again, I copied down the info. Sure enough, there was his "My Ebay" page, with all of his bid and account info.
It turns out that the "pass" string in the referrer is the user's encoded (not encrypted) password.
The bottom line is that when you access a page that uses Humanclick from "My Ebay" the seller can then access your account.
Now, as if this weren't bad enough, Humanclick is not the only way to get this information.
Referrers can be obtained in a variety of ways, including loading images from another server. If that server is running a stats package on its images, referrer information will be available. And there is no way for a viewer to tell whether this is the case or not.
Any time you access an auction from your My Ebay page, it is possible for the seller to obtain your password.
As far as I can tell, the only solution to this is for eBay to start encrypting passwords. Until then, your account is not secure if you use My Ebay to access other sellers auctions.
edited to change thread link to one that is more descriptive
[ edited by amalgamated2000 on Sep 19, 2000 06:32 PM ]
posted on September 19, 2000 06:22:12 PM
I noticed that myself, I am tired of Human Click and am going to dump it. For one thing the doorbell is very annoying, especially in the evening. I have noticed that many, many of my items are on Watch Lists, and of course, that gives you access to that information. I was all for this, but in the last week or so, I have decided that I no longer want to use something that may be infringing upon someone else. Once this current batch of auctions end, I am taking it off.
VeryModern: You are now allowed to say "I told you so."
posted on September 19, 2000 06:26:09 PM
I understand your take on Humanclick, but from a security viewpoint, this is a problem with Ebay, not Humanclick itself.
There are many ways to obtain the referrer information. And many of them are completely undetectable.
posted on September 19, 2000 07:02:02 PM
Whoa! That is a security problem. Thanks for the warning, amalgamated2000.
If eBay were aware of this, I'd think they could easily (well, fairly easily considering the scope of their system) make a change so that encoded password information doesn't appear in any "My eBay" URL.
posted on September 19, 2000 07:09:07 PM
humph. how exactly would you use that encoded password to bid, or whatever? sure, it gets you to your 'my ebay' page, but the information there is hardly secret. any significant fuction requires you to supply your password. Are you saying you've figured out how to get the text of the password from this string? I'm not too worried.
posted on September 19, 2000 07:17:59 PM
I haven't attempted to translate the encoded password into the actual password, but since it is not encrypted, I think it would be possible.
But even on it's own, this could be used in a variety of ways. One is as the ultimate shilling tool.
Sellers could find out exactly what your maximum bid is, and then, whith one shill bid, drive the price up to your maximum.
I'm sure there are plenty of other devious ways to use this access.
posted on September 19, 2000 07:34:14 PM
Just tried this myself. got the following message when trying to access my own page. (didn't want to infringe on anyone else's privacy.
One of the parameters received was invalid for this function. This probably means that your browser had problems with the form or you invoked the function
incorrectly. Please go back and try again. If you're using an old bookmark, you may need to rebookmark it due to recent changes to protect your privacy. If the
problem persists, please report the problem to eBay [email protected].
Followed the refer listed above exactly, inserting my own info where appropriate. Notice the last line in the response? Think they(eBay) jumped on the patch that quickly?
posted on September 19, 2000 07:50:08 PM
I edited the referrer above (which was originally to my account) to remove my user ID, and I also changed a few digits in the password.
It will take a fairly serious overhaul to fix the problem.
posted on September 20, 2000 09:10:43 AM
Edited to say... my original post here is completely missing the point and then unintentionally dragging the discussion somewhere else, so to elminate the most confusion, I'll pull it and write a different reply. Sorry.
[ edited by dc9a320 on Sep 20, 2000 09:34 AM ]
posted on September 20, 2000 09:24:48 AM
dc, it's not a matter of going from My Ebay to another site. These tracking devices can be included in an auction listing. And there's really no way to tell whether or not they are there.
If you use My Ebay to acess any auctions other than your own (such as items you are bidding on or watching), you are vulnerable.
posted on September 20, 2000 09:52:35 AMamalgamated: Oops, sorry, I completely missed the point (so I pulled my original post so it doesn't muddy the issue).
I now see what you are saying, and agree it is a problem.
Too many sites encode identifying account information directly into their URLs, where it can be too easily seen.
Usually, this only becomes a potential problem when jumping from an account page on one site (one that encodes acct/pwd info in the URL) to some new site, so for awhile, I've tended to keep an eye on account URLs, and when they do include acct/pwd info in the URL, I tend to move and click somewhere else within the same site (e.g. eBay) before jumping to a new site (e.g. Yahoo).
However, I see now that in this case, moving within the same site is generating essentially the same kind of breach, accidentally (or neglectfully) spilling account information to a third party.
Heck, it's getting hard for a user to walk around these minefields of potential and actual security breachs, and this one is definitely a problem that eBay should fix.
No site should include account or password information in the URL string itself, and it's been a known problem for at least a couple years.
----
What's being done in the name of direct marketing nowadays is crazy.
The above are all just my opinions, except where I cite facts as such.
Oh, I am not dc9a320 anywhere except AW. Any others are not me.
Is eBay is changing from a world bazaar into a bizarre world?
posted on September 20, 2000 05:21:05 PM
VeryModern: Yes, now I am agreeing with you. Of course a lot of it is over that crappy Watch List, I really did not even need to know that I had one item that was on on about 30 bidders watch list and ended with two bids. Really depressing. Anyway, I just reformatted my template in AW and it will not be on the next batch of auctions. Heather
posted on September 21, 2000 02:58:14 AM
The Senate Judicary Committee and good old Orin Hatch released a booklet about Internet privacy today at the Rayburn building. There were a few companies there to tout what they are doing about it. This is the URL to the news story and there is a link to download the booklet (PDF). Not much, but the Senate seems to be in more agreement that it is problem than the House Committee.
posted on September 21, 2000 04:52:58 AM
<B>HCROSS:</B> I have read this thread and had no clue about this program. I downloaded it to see what it was about and in an email sent to me from the program site, they said they were sending additional information which they didn't. How does this work? I attempted to imbed the info into a screen of my own and went there to click on the logo to see what happens and actually don't really see anything but a large window. When I did get info, that was confusing only.
Can anyone email me at Capricorn47@anglefire with this newsletter which outlines all the features and how to use the program? I still may not use it. I am testing it out on my own websites and visiting them to see what happens. I have not entered it into any auction site but even if I had, I don't see where the info about the Watch List would even show.
posted on September 27, 2000 05:46:09 PM
Verymodern,
The irony here is that, as far as I know, the only way to solve this particular problem is to replace the password in the URL with.... you guessed it -- a cookie.
----------------------------------------------------------------------
All rights reserved. All wrongs reversed.
posted on September 28, 2000 09:59:03 AM
amalgamated2000 - I also use HC and saw some of that info coming up in the information. It seemed to be people who had logged in to ebay as the occurance of the user/pass was few and far between.
This definitely isn't a HumanClick issue because I imagine the banner ad is gathering the same information. I'm sure an astitute computer guru would be able to make something less than honorable from the whole situation.
posted on September 28, 2000 11:02:52 AMamalgamated2000: Ironic, yes, a concern, no. Even I would accept that specific cookie. It would be doing an essential action, on one very specific user action, and would not be a third-party cookie.
However, I have seen sites where you type something in and the resulting neither contains the entered terms in the URL, nor uses a cookie. It's something Netscape calls a "POST" operation, if I recall correctly. I'd rather that eBay do this than a cookie (if possible), just on the general principle of the thing. Either one is better than putting account data in the URL.
Cookies are not an inherently bad thing, they've just been used abusively (mostly by direct marketers like DoubleClick, IMO of course).
[ Edited to add the "Either one" line in paragraph 2. ]
[ edited by dc9a320 on Sep 28, 2000 11:04 AM ]
posted on November 28, 2000 05:35:10 PM
Anyone else been wondering what's up with the redirect when you click on an auction in "My Ebay"? This is it. The redirect eliminates this security breach.
