During a recent eBay auction, when clicking the “Pay Now” button for an item I had won, I was taken off the eBay site, to a third party merchant site. The merchant site was attempting to verify address information and shipping options, and then forward me to PayPal. I tried going back into my eBay account and making the payment directly to PayPal several times, in an attempt to avoid the third-party site, without success. It appears that eBay is allowing third party merchants to insert their own code and web sites into the checkout process. What’s more, this particular merchant page was a mixture of secure and insecure content and some JavaScript. NoScript took care of the issue for me, but it leaves me wondering.
I am not sure if it is my heightened sense of post-DefCon paranoia, but this just seems like a bad idea to me. If I were a hacker, wouldn’t I just love a way to insert myself into the payment process? With most security analysis processes, I start by examining trust relationships I can exploit. This tends to be fertile ground for logic flaws, and these trust points tend not to be closely inspected by users. If I can insert myself into an established trust relationship to launch my attack, I am far more likely to succeed, and this seems like an open window for me to do just that. Bogus image tags, XSS, XSRF, inline frames, or whatever attack du jour; it seems like a natural target for inserting myself between these two trusted entities. I am not saying that any particular merchant site is insecure at this time, but I am willing to bet that regardless of any vetting process third parties go through, their security is not uniformly as strong as eBay’s and PayPal’s.
In general, I have no relationship with any of the third party merchant software, so I have no reason to trust the sites or their security. I make purchases on eBay with PayPal because I have a basic trust in their sites, processes, and security teams. This trust does not fully extend to every one of their affiliated merchants and third party sites, now and in the future. Not only that, the third party site offers me, the buyer, no added value, only potentially decreased security.
From PayPal’s own “Top Ten Safety Tips”, which they provide with the Security Key, tip number nine is “Stay Safe on eBay: … Pay safely using PayPal, the secure payment method that enables you to shop without sharing your financial information with the seller”. But if the merchant has been linked into the process, and you have to go to a merchant site first, it is somewhat at the seller’s discretion. And if the merchant site has been hacked, all bets are off.
I sent the question over to eBay and PayPal security and have not received a response, so I wanted to know what the community at large felt about this.
Reader interactions
9 Replies to “Overly Paranoid?”
@Alli – Thanks for the comment. You raise an excellent point, and eBay users may get locked into a single payment processor. I just read that that eBay is getting rid of check & money order payments (http://www.dailytech.com/article.aspx?newsid=12734), so your prediction may become true.
Thu, August 21, 2008 9:18pm
Many of buyers and sellers have PayPal horror stories to share (we have our own from both buyer and seller perspectives, which I will not burden you with. Suffice it to say that PayPal was unreasonable in their actions). That can be a strong incentive for a seller to not use PayPal.
If a seller already accepts credit cards at their brick-and-mortar store or on their own website, why should they have to use something else to process transactions from their eBay auctions?
eBay, owning PayPal profits twice from each sale when PayPal is used. However, it is not the mandatory payment method (at least not yet).
Some sellers have been linking to 3rd-party checkout on their own sites for years. This allows them to choose which bank and payment gateway they wish to use, (including the system they already use in their own sites and stores).
I do realize the dangers involved with passing the transaction to their own site or to a 3rd-party payment site, and do not take it lightly
I received a similar email with the same same attachment, doing a search on WD6128922.exe returned your site. I also walked through an ebay transaction (sold something on ebay and wanted to print to get an estimate on shipping). I didn’‘t relate the ebay transaction to this suspect email until I read your post. The email is:
Return-Path:
Received: from noehlo.host ([127.0.0.1])
by montgomery.mail.atl.earthlink.net (EarthLink SMTP Server) with SMTP id 1kvTYV5Fn3Nl3qB0; Wed, 20 Aug 2008 16:08:37 -0400 (EDT)
Received: from nt-servera.billblass.com ([208.37.158.140])
by montgomery.mail.atl.earthlink.net (EarthLink SMTP Server) with ESMTP id 1kvTYGXt3Nl3qB0
for XXXXXXXXXXXXXXXXXX; Wed, 20 Aug 2008 16:08:31 -0400 (EDT)
Received: from [208.37.158.140] by mxlibero2.libero.it; Wed, 20 Aug 2008 15:08:33 -0500
Message-ID:
From: “Benny Hyatt”
To: XXXXXXXXXXXXXXXXXX
Subject: Fedex Tracking N_ 8209765397
Date: Wed, 20 Aug 2008 15:08:33 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”——=_NextPart_000_0006_01C902D6.9C946E80″
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-ELNK-AV: 0
X-ELNK-Info: sbv=0; sbrc=.0; sbf=0b; sbw=000;
Out of curiousity mostly, I ran a virus scan on the .zip and the scan said the file was OK… I’‘m not stupid enough to run the .exe though…
The timestamp on the email is right about the time I was on ebay…
Interesting, and thanks for posting this, I don’‘t think your are paranoid and I appreciate knowing that this originated from being an ebay…
I pinged Rich since I have his email. Please mail me and I’‘ll see if I can be of assistance.
Adrian – I’‘d be concerned as well. Especially considering that PayPal has been victim to some of the most professional phishing attempts.
I recall reporting several phishing attempts to PayPal a couple of years back. One of them warned me against a problem with my payment details, and this was only a few days after I actually changed them, so it fell on fertile ground. Of course hovering over the link revealed a different URL (paypal.something.com), but someone else would’‘ve clicked it immediately.
I suppose you can trust eBay to prevent hijacking of links on their own sites, but once you’‘re out on a 3rd party merchant’s site, it’s a jungle and anything could happen.
@Brian – I was hoping to hear something back from either organization, but nothing of substance yet. EBay sent an email saying someone would contact me. I got a form eMail from PayPal asking me to go through their automated form submission system, but as this issue is not characterized by any of their pre-packaged form drop downs. I am interested to so what they do with requests that cannot be blindly addressed a FAQ … I should give them the benefit of the doubt but I get a feeling the email is sitting in limbo somewhere.
@Alex – From a security standpoint I completely agree. The other factor was privacy, so even if the third party is secure, since they are now part of the process and they are capable of harvesting information if they choose to do so. And it could be done without the buyer, seller or eBay knowing about it. Sellers are using third party services to streamline posting and selling items, which is fine, but that is the sellers choice, not the buyers.
I don’‘t think you’‘re overly paranoid now because it’s a relatively unknown practice. Give it 6-8 months and if there’s no significant change in the threat landscape *then* you might perceive less risk.
I have not yet experienced this, but I would be just as concerned as you are. I hope you share the outcome of your communications with eBay/PayPal regarding this matter.
In the meantime, I’‘m keeping my shields up. 🙂
I don’‘t think you’‘re being overly paranoid. Being a security guru you actually noticed the third party site and questioned it’s nature. Most people would not have even noticed the redirection and that’s how companies are able to pull off inserting the third party nonsense. As you mentioned NoScript is a great tool for picking up on the third party tracking