Username
Password
Login is SSL protected. By clicking on "Log in Now" you agree to gixen.com terms of usage.


   SearchSearch     

eBay Password Passed in Chrome Plugin URL - Security Risk

 
Post new topic   Reply to topic    Gixen.com Forum Index -> Support
View previous topic :: View next topic  
Author Message
bigbluesd
Guest





PostPosted: Mon Jun 24, 2019 7:37 am    Post subject: eBay Password Passed in Chrome Plugin URL - Security Risk Reply with quote

Mario,

I just noticed that when using the Chrome plugin my eBay username and password are exposed in plain text in the URL request (see below). This is a huge security risk. My eBay login would be exposed to anybody who gained access to the Gixen webserver logs. Why does the user's eBay login need to be passed by URL?

See below:

http://i.imgur.com/FNjNcYg.jpg
Back to top
Cupid



Joined: 09 Aug 2007
Posts: 7575
Location: Bristol, UK

PostPosted: Mon Jun 24, 2019 8:27 am    Post subject: Reply with quote

It's in the url, but that's an https connection it's using so it is not exposed during transition to Gixen.

It's also not your Ebay login, it's your Gixen credentials, which should be different.

How would anyone other than Mario gain access to the Gixen webserver logs? They'd have to gain access to the Gixen servers in order to do that, which has never happened.

The only ones that are able to gain access to this are those that can access your screen while you are using the plugin... so, I'd tend to agree it's not prudent to use this on a computer that is not your own (but why would you install this plugin if it wern't ?), or in public where others can look over your shoulder at what you are doing.

If by some chance someone got these credentials by that means, they would be able to log into your Gixen account and schedule snipes, not into Ebay to pay for anything won or get it shipped to themselves... so, it really wouldn't be worth anyone's while to do so, other than just to annoy you, would it ?

Never the less, I think it is worth investigating passing them as hidden fields on that form though, I'll let Mario and Keith determine whether or not it's feasible to do that.
_________________
Mark
Back to top
View user's profile Send private message
bigbluesd
Guest





PostPosted: Mon Jun 24, 2019 10:35 am    Post subject: Reply with quote

No, it is definitely the eBay username and password, not the Gixen login.

And there are many ways that it can be exposed. For example...

If a user has malware on their computer which hijacks the browser and intercepts URLs (which is very common) your eBay account credentials will be sent via plaintext to wherever the malware developers want it sent.

Even though the connection itself is encrypted, the URL request is still stored in plain text in the web server's log files. If anybody hacks the web server or otherwise gains access to the log files the user's ebay credentials are now visible in plain text.

It raises another concern - how are eBay login credentials stored in the Gixen database? Are they stored in plaintext or are they encrypted?

Passing any kind of password in plain text as a URL argument is not good security practice, especially when it's to a site like eBay. Gaining access to an eBay account can be used for extensive fraudulent purposes.
Back to top
Cupid



Joined: 09 Aug 2007
Posts: 7575
Location: Bristol, UK

PostPosted: Mon Jun 24, 2019 11:21 am    Post subject: Reply with quote

Gixen doesn't have your Ebay credentials, it's therefore impossible for them to be in that url. It doesn't store them, because it doesn't have them... you're clearly, at the very least, out of date with how this service works.

It's only in the case where you have the same Gixen credentials as Ebay credentials that your statement could have any validity, Gixen can't force you to use different ones, but it is, and always has been, strongly advised that you don't do that and that you choose completely different ones.

If your computer is infected, then there are many, many ways that your credentials can be compromised, via this route is but one and not even the most likely... This particular url is the least of your worries in this scenario that you are talking about, and you would need to get your computer sorted out as soon as possible whether or not you ever used the Gixen service.

As previously stated, what makes you think the Gixen web server is vulnerable to be hacked ? Mario is a professional in this field, it's never happened and it's very unlikely that it ever will.

Please don't scare monger on this, it's not helpful or in the spirit of this community, where we endeavour to help each other not attack with malicious intent.
_________________
Mark
Back to top
View user's profile Send private message
Gixen
Advertisements





PostPosted: Mon Jun 24, 2019 11:21 am    Post subject:

Back to top
bigbluesd
Guest





PostPosted: Tue Jun 25, 2019 9:31 pm    Post subject: Reply with quote

It appears that the eBay credentials have something to do with either my password manager (LastPass) or my browser having the wrong login stored for Gixen (I must have tried logging in with the wrong password at some point and it saved it) although it's not clear why it's being inserted into that URL. This still does not change the fact that credentials are being passed in plain text in a URL which is a security issue.

You assert that there is little an attacker could do with a Gixen login however the problem is that many people use the same passwords across many sites and having their Gixen login compromised may also compromise their email, their banking accounts, their social media, etc. Nobody disputes that it's a dumb idea to have the same password across multiple sites but the vast majority of your users do it anyways.

The bottom line is that the Gixen plugin is passing a URL which very clearly includes login credentials and there are other ways that it could be handled which are much more secure.

The quick and easy solution for this is to not include login credentials in the Javascript link that the plugin produces on the eBay item page... instead Gixen can either look for an existing login cookie or show the login form on the generated page if the user is not already logged in (as it does now if you don't have login info saved in the plugin). At least this way it will be always passed by the POST method instead of by URL and will always be encrypted.

Quote:
As previously stated, what makes you think the Gixen web server is vulnerable to be hacked ? Mario is a professional in this field, it's never happened and it's very unlikely that it ever will.


Evernote was hacked a week ago. U.S. Customs and Border Protection was hacked two days before that. Quest Diagnostics a week before that. Flipboard a few days before. Instagram a month ago. Citrix a few weeks prior. Microsoft on April 15th. Facebook two weeks prior. Should I keep going? That's only the last couple of months and I'm only pointing out the major companies which have been compromised, there have been many more smaller websites in the same timespan. You don't think these guys have "professionals" on board?

Quote:
Please don't scare monger on this, it's not helpful or in the spirit of this community, where we endeavour to help each other not attack with malicious intent.


I'm a user reporting an issue. My intent is not to have my username and password visible to a third party through your server logs or my browser history, is that malicious? I've fixed this issue for myself and offered your team a reasonable suggestion to solve it for others. If they want any other info they can contact me directly.
Back to top
Cupid



Joined: 09 Aug 2007
Posts: 7575
Location: Bristol, UK

PostPosted: Wed Jun 26, 2019 4:18 am    Post subject: Reply with quote

I think your suggestion reduces functionality, as per previous versions of the tool, doesn't it? I have a vague recollection of Keith updating it, as a result of user requests, so as not to have to prompt for credentials quite so often, which may be why he chose to do it this way, that's informed speculation on my part though.

I also suggested an approach earlier, using hidden fields on the page, that's how I've approached this issue in the past. However I've not used the plug-in technology that is being used to allow access to update the Ebay page within the browser dynamically, so that may not be an option for this case.

Please note I'm also a user, I don't have any access to the software to update it, that's why I mentioned Keith and Mario. Keith is the developer of that tool and Mario is in exclusive control of all server side software and set up of the servers.

In my experience, on professional production systems web server logs are often directed to /dev/null so that they don't clog up the system, so might not even exist as you have assumed they do, naturally I have no idea whether that's the case for Gixen though.

Just one further note; certainly many sites have been, and continue to be, hacked; there has to be an upside for the hacker in doing so, I'm simply pointing out that even if Gixen were targeted for such an attack and in the unlikely event that such an attempt were also successful, there isn't really any upside for that hypothetical successful hacker, which there was in all the other cases that you quote, which makes it much less likely that anyone would even bother trying.

None the less, your input is appreciated (certainly by me) and, I hope you agree, taken seriously... I'm sure when they have some time available, and see this thread, that both Mario and Keith will be more than happy to engage, as I have done so far, with the prospect that something will be changed, in this respect, as a result of your report/suggestion.
_________________
Mark
Back to top
View user's profile Send private message
mario
Site Admin


Joined: 03 Oct 2006
Posts: 7111

PostPosted: Sat Jun 29, 2019 5:51 am    Post subject: Reply with quote

When it comes to the transmission of the network request itself, it makes no difference whether GET or POST is used.

As for the web server logs - Gixen rotates them, but if the server itself is ever broken into, attackers would try other ways to obtain Gixen credentials (but not eBay! - Gixen does not receive or have ebay credentials any longer). If this were to ever happen - I have a number of ways to detect intrusion (which I am obviously not going to discuss in the forum), and it would result in all eBay authorizations being revoked.

Gixen does not store credit cards or similar financial information. I treat security of Gixen servers as if it contained high-value financial information, which, in reality, it doesn't.
Back to top
View user's profile Send private message Send e-mail
Keith
Guest





PostPosted: Fri Jul 05, 2019 7:58 am    Post subject: Reply with quote

bigbluesd If you do not like the password being stored in autosnipe plugin I would suggest not adding it to autosnipe and either manually typing it in or using a password manager

Keith
Back to top
Display posts from previous:   
Post new topic   Reply to topic    Gixen.com Forum Index -> Support All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

© 2006 - 2023 Gixen.com. Forum powered by phpBB © 2001, 2005 phpBB Group.