Auction Orbit - http://www.AuctionOrbit.com
   
UTILITIES
RESOURCES
TUTORIALS
AD CREATOR
CONTACT
Sections
Utilities and Tools
Free Resources
Auction News
Everything Else
Dominant Ad Creator

Community
Forum
Chat
Guestbook

Support
Tutorials, Etc.
eBay Tips & Tricks
Contact
Auction Newsletter


Enter your e-mail address to subscribe to Auction Orbit's monthly newsletter.

If you enjoy the free content offered on this site, feel free to donate by clicking below.
Auction Orbit - Security and Privacy Issues with Turbo Lister

NOTE: I am posting this article in attempts to shed light on a serious Turbo Lister issue, in hopes that eBay will soon catch on and revise their software. The issue at hand makes it very easy for anyone to obtain the password and username for ALL eBay accounts that have been entered into the Turbo Lister software on any particular computer. I am not sharing this information to encourage illegal or inappropriate behavior, but I do hope eBay realizes the dangers in the current Turbo Lister design. Heck, even my own Dominant Ad Creator software encrypts any passwords entered into it (for FTP or eBay-specific data). Surely eBay can do better with their software.

Turbo Lister is eBay's bulk uploader and management software that took over the original Mister Lister utility some time ago. In addition to the software being extremely bulky (over 18MB), there are required updates released almost on a daily basis due to eBay's constantly changing site. The updates are also quite bulky, but at least the developers have finally implemented a progress bar so you know about how far the download is!

Anyways, the point of this article is to discuss a potentially serious security issue that Turbo Lister poses for its users. You see, Turbo Lister stores the meat of the software in a Microsoft Access database file titled, app.mdb ... This file resides in the Data sub-folder of the Turbo Lister directory, along with various other database files. Inside of the app.mdb file, there are around 20 different tables, each of which stores important information about eBay and Turbo Lister (Category list, eBay listing URLS, etc). Within one of these tables, lies all usernames and passwords currently configured in Turbo Lister, without any encryption added.

I shouldn't jump ahead of myself... EBay does provide a small bit of security by password protecting the database files with a 20-letter, alpha-numerical password. Each database file uses the same password, and the password does NOT change from update to update. Before you can get inside any database file, you merely need to know this password. I won't go into any specifics about how to do so, but I will say it is extremely easy using any one of many Access Password Recovery tools available on the net. For this reason, eBay should realize that password protecting database files is only one very tiny step in securing sensitive information. In fact, getting around Access passwords is such a quick and painless procedure, it took me three clicks and then a simple copy-and-paste to get into the database (roughly one minute from start to finish).

So, after we have obtained the password for the database files, we can open any of them up in Microsoft Access, enter the password, and we are presented with the most important material in the entire Turbo Lister program. The file of most interest is app.mdb as discussed earlier. Inside of this file, there is one table called, "Users". If you double-click that particular table, you will be presented with a nice, visual list of all users currently configured to use Turbo Lister. The table lists the usernames in one column, matching passwords in the next column, and the matching database file for that particular user's settings.

Hopefully you too can see the potential problems that could arise if anyone else has access to another's computer with Turbo Lister installed (or as some call it, Turbo Blister).
 
Copyright ©2002-2005 Auction Orbit (Volcanic Software). All rights reserved.