eBay downplays significance of `old school' XSS attack on its auction portal

News by Steve Gold

eBay vulnerable to XSS attack enabling re-direction of users says BBC.

With the online auction portal coming up for its 20th anniversary next year - and rated the 27th most popular site on the Internet - eBay has been subject to a barrage of criticism over the years about forgeries on open sale, and contentious items sold on some of its country-specific sites. Now the auction giant has been rocketed by accusations that its structure allows cross-site site scripting (XSS) attacks to be quickly and easily carried out.

Research by the BBC has revealed that the ability to link to third-party Web sites from within a listing box - normally allowing access to data and pictures from portals such as Auctiva and others - can be hijacked to route to a third-party page designed to steal a user's credentials.

Reports of the XSS attack started circulating late yesterday, with the BBC noting that a malicious Javascript could be included in the product listing pages. This allowed the cybercriminals to route outside of eBay's normally limited range of third-party sites.

Interestingly, whilst eBay has sought to downplay the significance of the hack, the BBC claims to have found at least three listings using the Javascript XSS-based page jump technique.  

This isn't the first time that eBay's security has been compromised. In May of this year the auction giant mandated all its users to change their passwords after revealing that a database - apparently containing encrypted passwords and other credentials - had been compromised.

According to Chris Oakley, principal security consultant with Nettitude, XSS attacks have been a known attack vector for many years.

The impact of such an attack, he explained, can be wide and varied, and it is possible to leverage a cross-site scripting flaw to deliver malware to an unsuspecting victim or -  as appears to be the case here - to redirect users to malicious sites designed to capture their credentials.

"eBay appears to have been vulnerable to a variant of cross-site scripting that allowed malicious code to be delivered to its users without any interaction between the attacker and the victim required, which is arguably the most severe form of this vulnerability. XSS is currently ranked as number three in the OWASP Top Ten, which is an authoritative source of the most common web application vulnerabilities," he said.
"The preventions are well understood and one would expect all organisations - particularly those with vast quantities of customer data to protect - to have the required defences in place.  After all, attackers are adept at exploiting any gap that exists in security defences, and it only takes one successful attempt for a disastrous data breach to occur," he added.

Charles Sweeney, CEO of Bloxx, the Web filtering and security specialist, agreed with Oakley's view that XSS attacks are old school, but noted that the attack vector has obviously been effective.

"By scanning for unpatched vulnerabilities on a Web server and then exploiting the vulnerability to inject malicious redirect code on the page. Then when the user goes to that page, hey presto, the script redirects them to the spoof site. Most people simply wouldn't check that the URL is no longer the eBay domain," he said.

"The success of the attack lies very much in its simplicity and people's acceptance that what they are presented with online is real. What is really concerning is that, once again, eBay has demonstrated an unacceptable attitude to their user's safety being compromised online. That they seemingly had to be chased by the BBC in order to take action is shocking," he added.

In an email to SC Paul Ayers, VP EMEA, Vormetric adds: “It is unfortunate that eBay has once again found itself under fire for failing to respond adequately to a data breach incident. To make matters worse, this latest report comes just a little too soon after attacks on its database and daughter site, Stubhub, which exposed user credentials. For eBay, this hat-trick of security incidents will surely do the company no favours in terms of restoring and maintaining consumer confidence.”

“In this day and age, businesses of all sizes need adequate security intelligence mechanisms in place to monitor all activity across their networks, so that they can spot any suspicious activity and stop hackers in their tracks. As has been shown, hackers will find one way or another to get access to data.  As a result, encryption of sensitive data, regardless of where it resides is the only way to ensure that it remains illegible and essentially useless if, or when, it falls into the hands of cybercriminals."


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews