THE EBAYLA BUG AND HOW TO PROTECT YOURSELF
http://because-we-can.com/ebayla/default.htm

This page describes a security problem that Blue Adept discovered with
eBay's on-line auctions on March 31, 1999 (realaudio interview). The
security hole allows eBay users to easily steal the passwords of other
eBay users. The exploit involves posting items for bid that include
malicious javascript code as part of the item's description. When an
unsuspecting eBay user places a bid on the item, the embedded
javascript code sends their username and password to the malicious
user by e-mail. From the victim's point of view, nothing unusual seems
to have occured, so they are unlikely to report/complain to eBay.

      
Once a malicious user knows the username/password of the victim's eBay
account, she can assume full control of the account, including the
ability to:
           
* create new auctions (automtically charging the victim's account) 
* place bids in the victim's name, 
* retract legitimate bids in the victim's name, 
* change the victim's username/password, barring them from eBay, 
* associate bogus negative/positive comments with an arbitrary seller, 
* prematurely close an auction being run by the victim. 
* insert the ebayla code into the victim's auction.
           
(The code could be altered to do this automatically, which would
constitute an ebayla virus).

      
The security problem is dangerously easy to take advantage of. A
malicious user needs only to embed the javascript code into their
description of an item for auction. A walk-through of the exploit
demonstrates step-by-step how any user can steal eBay passwords.

      
Blue Adept notified eBay that a 'huge' potential security problem
existed on March 31,1999 and offered assistance (but as of May 7, 1999
has only received form letter KMM798062C0KM in reply). Information
about the ebayla exploit is being made publicly available to speed the
process of fixing the security hole.

TRY THE EBAYLA BUG DEMO ON YOURSELF!

      
Visit a working demonstration of this exploit at eBay! The demo works
with any javascript-enabled browser, such an Netscape or Internet
Explorer. Users must register (free) with eBay to place bids.

          
The demo is Blue Adept's own auction infected with eBayla
code. WARNING! When you bid on this item (or even just review your bid
without placing it), your username and password will automatically be
mailed back to because-we-can.com.

http://cgi.ebay.com/aw-cgi/eBayISAPI.dll?MfcISAPICommand=ViewItem&item=93164375

      
HOW TO PROTECT YOURSELF
      
Unfortunately, the potential security issues at eBay are difficult to
spot and avoid. If you are unfamiliar with spotting suspect javascript
in the docsource of an html document, the best way to protect yourself
may be to avoid using eBay until adequate html filters have been
implemented.