Hijack Bug on eBay

Tuesday, September 17, 2013 @ 05:09 PM gHale


Often times in the manufacturing automation sector, spare parts on some of the ancient systems out there are difficult to find. So, that means when a company needs a spare they often go on eBay to hunt down the correct part.

Now those would be buyers need to be aware because there are few security issues on eBay, including a cross-site request forgery (CSRF or XSRF) vulnerability that hackers can exploit to compromise user accounts.

RELATED STORIES
Users Still Don’t Patch Java, Flash Bugs
Mobile Spam Risks on Rise
Threat Report: Mobile Attacks Taking Off
Hackers Hit Cloud for Android Attacks

IT consultant and tech enthusiast Paul Moore found the eBay page that lets users update their profile is vulnerable to XSRF. That’s because the field which links it to the user’s active cookie is missing.

This allows hackers to submit the form with pre-populated data. The password cannot end up updated by using this method. However, the information needed to reset the password can.

The attacker needs to submit the form with his own phone number and postcode – information required when resetting the password.

An eBay option allows the hacker to ask for the four-digit confirmation code to send to a phone number instead of an email address, specifically the number he had entered earlier when he submitted his own information.

Access to an eBay account doesn’t allow the hacker to steal the victim’s PayPal username and password. However, as Moore said, he doesn’t need this information.

The hacker can put a fictitious item up for sale (with a “Buy It Now” price) and bid for it from the victim’s account.

Another major issue is when the attacker submits his own information to update the victim’s account, he can also change the secret question. This means even if the user changes his password, or the CSRF issue ends up addressed by eBay, the hacker can still gain access to the account.

Moore also said eBay doesn’t use SSL efficiently. When users log in to their accounts, the data transmits over SSL.

On the other hand, on subsequent pages, HTTP sees use, allowing hackers to intercept the session cookie and use it to log in as the victim.

In addition to this, cookies do not end up flagged as HTTPOnly, which would make it a bit more difficult for cybercriminals to intercept them.

Moore informed eBay of his findings on August 5. The company responded immediately and promised to address the issue.

However, 43 days later, the flaw is still present.

On September 2, Moore attempted to get a status update, but eBay representatives informed him that they didn’t provide updates until they repaired the vulnerability.



Leave a Reply

You must be logged in to post a comment.