XSS Flaw Mitigated on eBay

Wednesday, January 13, 2016 @ 09:01 AM gHale

For those manufacturing automation professionals looking for spare parts on eBay were for a period of time in an attackers’ crosshairs as there was a reflected cross-site scripting (XSS) vulnerability on the website that could allow for phishing attacks.

The flaw, identified in December by a researcher who uses the online moniker “MLT,” ended up fixed a month after the report came into eBay.

AVG Fixes Chrome Extension Flaw
IE Ending Support for Older Versions
Chrome 47 Releases, Fixes Security Flaws
IE Continues Flawed Life, Edge Taking Over

XSS vulnerabilities are highly common, but that doesn’t make them any less dangerous.

After eBay patched the vulnerability, MLT issued a proof of concept (PoC) video and a blog post of the entire scenario.

MLT showed how an attacker could build a “real” eBay login page using a tool designed for copying websites from the Internet to the local system.

With the graphics of the eBay login page copied, an attacker could just add a PHP script so the submitted data would go to the attacker’s server instead of eBay.

The attacker could then inject the faux page as an iframe into the URL of the vulnerable eBay page. When victims clicked the attacker’s link, they would see the legitimate-looking phishing page apparently hosted on the ebay.com domain.

These types of attacks are dangerous because victims are unlikely to suspect a compromise of their credentials before the attackers start abusing the stolen information.

At first eBay did not respond to MLT and this was not the first time a researcher complained about the time it takes eBay to resolve simple vulnerabilities.