#705 eBay changes: Could not log in

[Michael S.]

    Automated esniper bug report.
    esniper version 2.31.0
    libcurl/7.38.0 OpenSSL/1.0.1t zlib/1.2.8 libidn/1.29 libssh2/1.4.3 librtmp/2.3
    Error encountered in function ebayLogin in auction.c line 489
    auction = 142133238046, price = 11.33, remain = 0
    latency = 0, result = -1, error = 19
    buf = 0xcc00e0, size = 14785, read = 0xcc00e0
    time = 1475744062, offset = 0
    pagename = "Error", pageid = "(null)", srcid = "(null)"
    specified options or config values:
      1 x username(u) = ***
      1 x password() = ***
      1 x seconds(s) = 5
      1 x quantity(q) = 2
      1 x (c) = ".cfg"
      1 x (f) = "crank.cfg"
    unknown pageinfo

[Michael S.]

Further information that will help to fix this issue:

eBay no longer uses the header variable 'pass' to transmit the value to the host.
Instead a random generated number is used for the name of the variable.

Example:
https://signin.ebay.com/ws/eBayISAPI.dll?...pUserId=xxxxx&...&836278938=yyyyyy&pass=&...

Update (Oct., 13 2016)

Community solution: https://sourceforge.net/p/esniper/bugs/705/#39ff

[Michael S.]

HTML source:

.
.
<input size="40" maxlength="64" name="1662123377" id="1662123377" type="password" autocapitalize="off" autocorrect="off" placeholder="Password" class="fld"></span></div><div id="spanLbl"><input name="pass" id="pass" type="password" class="cn0923" autocomplete="off" tabindex="-1" placeholder="Password"><span id="passLabelSpan" class="g-hdn"><label for="pass">Password  </label></span>
.
.

Transmission:
https://signin.ebay.com/ws/eBayISAPI.dll?...pUserId=xxxxx&...&1662123377=yyyyyy&pass=&...

[Michael S.]

I've done some coding on this issue and extract some of the values from the html source. But if I transmit the data back to the login-server I get still

Input Error

One of the parameters received was invalid for this function. This probably means that your browser had problems with the form or you invoked the function incorrectly. Please go back and try again. If you're using an old bookmark, you may need to rebookmark it due to recent changes to protect your privacy. We are aware of the problem and are working tirelessly to resolve it as quickly as possible.

If someone like to investigate this issue, I can attach the changed source of auction.c.

{edit} Actual version of "auction.c" attached to latest posting {/edit}

[Michael S.]

The parameters bhid, htmid + kdata are not accessible by simply analysing the HTML source. The content will be generated by javascript during typing data into the formular.

[Andriy Kramar]

Hello.
Hope this will help:
After sending few test requests I found that ebay actually still uses userid and pass fields, it just needs also their "number-named" tweens to be present in the request to their backend: "https://signin.ebay.com/ws/eBayISAPI.dll?co_partnerId=2&siteid=0&UsingSSL=1"
The JS logic of the signin form seems to be not so complicated (yet) - they just copy value of the numeric field to it's display:hidden counterpart (named either userid or pass) before submit. Sooo... it is posible to write code that would scan SignInForm, populate userid and pass and then look for two fields with names /^\d{10}$/. Then we check it's type - if it is text - we populate it with userid, if it is password - ... Finally, we need to pass to ebay backend all the fields found in the form+populated by us. Voila!
At least, I've managed to get ebay WatchList for my account this way using curl. Not yet sure the bidding will work.
Sorry, I'm not-so-good with C, so can not provide patch myself.

[Michael S.]

Hi Andriy,
scanning for the two "number-named" tweens is not enough. If you take a look to https://sourceforge.net/p/esniper/bugs/discuss/thread/4c63a3a9/940a/attachment/auction.c I've already tried to scan for all relevant fields - without bhid, htmid + kdata:
https://%s/ws/eBayISAPI.dll?MfcISAPICommand=SignInWelcome&userid&%s=%s&pass&%s=%s&keepMeSignInOption=1&mid=%s&srt=%s&usid=%s&rqid=%s&runId2=%s&regUrl=%s&inputversion=2&sgnBt=Sign+in&bhid&htmid&kdata
It may be help, if you post your comandline call using curl to get the watch-list.
Greeting Michael

[Andriy Kramar]

Hi.
The process in general is shown below.
Notes:
1. The user agent string may be different, but must be the same in all curl calls.
2. It looks like ebay sets some cookies it then uses to verify auth at very early stage - when we first download signin form. We have to save them from this point.
3. All fields in req.txt can be obtained from SignInForm fields + credentials.

#step 1. Get form
curl -A "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:17.0) Gecko/20100101 Firefox/17.0" -c cookies.txt -L "https://signin.ebay.com/ws/eBayISAPI.dll?SignIn">signin.html

#Step 2.: Analyze signin.html and prepare req.txt file with names&values from form and our credentials...
#Step 3.: Try to authorize.
curl -A "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:17.0) Gecko/20100101 Firefox/17.0" -b cookies.txt -c cookies.txt -L --data-binary @req.txt "https://signin.ebay.com/ws/eBayISAPI.dll?co_partnerId=2&siteid=0&UsingSSL=1"

#At this point, if all went well, we have session saved in cookies.txt
#Step 4.: Check if it worked - get MyEbay or WatchList page.
curl -A "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:17.0) Gecko/20100101 Firefox/17.0" -b cookies.txt -c cookies.txt -L "http://my.ebay.com/ws/eBayISAPI.dll?MyeBay">res.html
#If all is well, we can see MyEbay Summary page html in res.html

Also, I'll post sample request body (req.txt that actually worked) with my credentials replaced by {userid},{password} (req_example.txt)

[Michael S.]

Attached the solution to the problem:
Download my auction.c and replace the original file.
Run make (and make install).

{edit} Actual version of "auction.c" attached to latest posting {/edit}

[akshimassar]

Hey, Michael! Thanks for publishing that solution. It works for me, however it is rather unstable. Approximately once per 5 starts it catches segfault.

[Sergei Gagarin]

It seems that SEGV is caused by using "&szRes" expressions in code. Just replace them with "szRes".

Thanks to Michael for the solution.

[ABK]

Thanks guys. I've got a wrinkle though.
If I remove "&" from "&szRes", I get
auction.c:446:28: error: expected expression before ‘,’ token
memset(, '\0', sizeof(szRes));
error when I run make. With "&" seems inconsistent like you mentioned...

[Sergei Gagarin]

memset(szRes, '\0', sizeof(szRes));

[ABK]

Muchas gracias! I was replacing all 4 instances before.

[Sergei Gagarin]

There is more reason for SEGV: sometime eBay sign-in form is language dependent ! So neither username, nor password tag detected.

[Sergei Gagarin]

Here is English version

[Garry Glendown]

Here's the ebay.de signin form ...

--
PGP Fingerprint: A79F A33F 5B13 BEB7 A51D 274F F99C 3AE2 4BCB 7015

[Michael S.]

There is no language dependency. The lastest version only searches for HTML-tags and attributes - not for text content.

[Garry Glendown]

There is no language dependency. The lastest version
https://sourceforge.net/p/esniper/bugs/_discuss/thread/4c63a3a9/39ff/attachment/auction.c
only searches for HTML-tags and attributes - not for text content.

Confirmed ... working for ebay.de ... Thanks to all involved for the
efforts!

--

PGP Fingerprint: A79F A33F 5B13 BEB7 A51D 274F F99C 3AE2 4BCB 7015

[Sergei Gagarin]

And this is Russian version

[Sergei Gagarin]

It seems a loop can help: reget LOGIN_1_URL until username and password tags found. Sometimes more than 10 retries required.

[Michael S.]

A solution to this could be, to put the current fixed strings ">Email or username<" and "Password" into the main configuration file and print out an error message, if the default setting are not found in the login page source. Or a better strategy to find the "number-named" fields for userid and password. If you have problems with the current version, just put the required string (e.g. ">Адрес эл. почты или логин<", "Продолжить", ...) into headerattrs[];

[Michael S.]

I've changed the strategy to find the "number-named" fields.
If you run with debug option "-d" you will see in the log file esniper.xxxxxx.log, if the lookup for userid and password was successful:

*** 2016-10-11 12:03:07.464042 findattr(): <label for="userid">=1034244922

*** 2016-10-11 12:03:07.465104 findattr(): "password"=1021570232

I'm looking forward for your feedback.

{edit} Actual version of "auction.c" attached to latest posting {/edit}

[Sergei Gagarin]

Yes, now it works both with English and Russian versions of sign-in page.
Thank you!

[Michael S.]

I've now merged the two functions 'findattr' and 'getvals' into a new function 'signinFormSearch'. 'findattr' and 'getvals' are now just a wrapper for two similar kinds of search. But: The code is now not easy to read for people who not "every day C-Coders" ;-)

{edit} Actual version of "auction.c" attached to latest posting {/edit}

[Michael S.]

And now the final contribution including error handling, if something went wrong with the signup form.

Thanks to Andriy and Sergei for their support !