[Fwd: ebay sends passwords in the clear]

The Wolf xanadu@speedchoice.com
Sun, 27 Feb 2000 09:11:09 -0700 

This is a multi-part message in MIME format.
--------------66D6450EE88B31F4926C3CDB
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Since there was a lot of talk about e-bay.
You may be interested about the security
of the site.

The Wolf

--------------66D6450EE88B31F4926C3CDB
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Return-Path: owner-bugtraq@SECURITYFOCUS.COM
Received: from mail01.detroit.speedchoice.com (mail01.detroit.speedchoice.com [24.221.95.31]) by mail.phoenix.speedchoice.com (8.9.3/) with ESMTP id PAA23253 for <xanadu@phoenix.speedchoice.com>; Mon, 21 Feb 2000 15:40:56 -0700 (MST)
Received: from lists.securityfocus.com (lists.securityfocus.com [207.126.127.68])
	by mail01.detroit.speedchoice.com (8.9.3/8.9.1) with ESMTP id WAA19604
	for <xanadu@SPEEDCHOICE.COM>; Mon, 21 Feb 2000 22:40:29 GMT
Received: from lists.securityfocus.com (lists.securityfocus.com [207.126.127.68])
	by lists.securityfocus.com (Postfix) with ESMTP
	id AECE61FE81; Mon, 21 Feb 2000 11:53:18 -0800 (PST)
Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM
          (LISTSERV-TCP/IP release 1.8d) with spool id 4646216 for
          BUGTRAQ@LISTS.SECURITYFOCUS.COM; Mon, 21 Feb 2000 11:52:11 -0800
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Received: from securityfocus.com (securityfocus.com [207.126.127.66]) by
          lists.securityfocus.com (Postfix) with SMTP id 77E531EE82 for
          <bugtraq@lists.securityfocus.com>; Sun, 20 Feb 2000 02:00:55 -0800
          (PST)
Received: (qmail 7421 invoked by alias); 20 Feb 2000 10:00:55 -0000
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
Received: (qmail 7418 invoked from network); 20 Feb 2000 10:00:55 -0000
Received: from mail.cruzio.com (root@165.227.128.37) by securityfocus.com with
          SMTP; 20 Feb 2000 10:00:55 -0000
Received: from loop (sa-165-227-138-45.cruzio.com [165.227.138.45]) by
          mail.cruzio.com with ESMTP id CAA23788 for
          <BUGTRAQ@SECURITYFOCUS.COM>; Sun, 20 Feb 2000 02:00:45 -0800 (PST)
X-Sender: abennett@mail.cruzio.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Message-ID:  <4.2.0.58.20000220015041.00be1790@mail.cruzio.com>
Date:         Sun, 20 Feb 2000 02:00:04 -0800
Reply-To: Andrew Bennett <abennett@CRUZIO.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Andrew Bennett <abennett@CRUZIO.COM>
Subject:      Re: ebay sends passwords in the clear
X-To:         BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <200002161903.LAA12086@relay.EECS.Berkeley.EDU>
X-Mozilla-Status2: 00000000

At 11:03 AM 2/16/00 -0800, rfromm@cs.berkeley.eduwrote:
>I've been trying to get ebay to do something about this for a month and a
>half, to no avail.  See http://avocado.dhs.org/ebpd/ for details, including an
>ebay password sniffer.

I noticed that ebay has a link on their Sign In feature page to sign in via
SSL.  It's not the most obvious link.  An easy way to get there:

- when prompted for your id/password, below the box, click the Sign In link
- when prompted again for your id/password, below the box, click the 'here'
link

Of course, take note of the cookie that they will place on your
computer.  You'll have to close your browser, or it will expire in 40
minutes of inactivity, whichever comes first, according to the web page.

Couple this with the 'my ebay' preferences as to what activities you want
your password remembered, one might only have to enter their password once,
during the SSL session where the cookie gets set.


Andrew
--
   Andrew Bennett
   abennett@cruzio.com


--------------66D6450EE88B31F4926C3CDB--