eBay downplays significance of `old school' XSS attack on its auction portal
eBay vulnerable to XSS attack enabling re-direction of users says BBC.
eBay: it's all down to the Java...
With the online auction portal coming up for its 20th anniversary next year - and rated the 27th most popular site on the Internet - eBay has been subject to a barrage of criticism over the years about forgeries on open sale, and contentious items sold on some of its country-specific sites. Now the auction giant has been rocketed by accusations that its structure allows cross-site site scripting (XSS) attacks to be quickly and easily carried out.
Research by the BBC has revealed that the ability to link to third-party Web sites from within a listing box - normally allowing access to data and pictures from portals such as Auctiva and others - can be hijacked to route to a third-party page designed to steal a user's credentials.
This isn't the first time that eBay's security has been compromised. In May of this year the auction giant mandated all its users to change their passwords after revealing that a database - apparently containing encrypted passwords and other credentials - had been compromised.
According to Chris Oakley, principal security consultant with Nettitude, XSS attacks have been a known attack vector for many years.
The impact of such an attack, he explained, can be wide and varied, and it is possible to leverage a cross-site scripting flaw to deliver malware to an unsuspecting victim or - as appears to be the case here - to redirect users to malicious sites designed to capture their credentials.
"eBay appears to have been vulnerable to a variant of cross-site scripting that allowed malicious code to be delivered to its users without any interaction between the attacker and the victim required, which is arguably the most severe form of this vulnerability. XSS is currently ranked as number three in the OWASP Top Ten, which is an authoritative source of the most common web application vulnerabilities," he said.