eBay riddled with XSS flaws

By  | 

eBay seems to be going through a rough road since it admitted the breach last week, as yet some more flaws are discovered that haven’t been fixed and can be exploited to hijack user accounts.

Jordan Jones, the security researcher who reported the major vulnerability in eBay’s website last week, has published details of a second vulnerability that hadn’t been fixed as of Monday.

Jones, a 19-year-old college student from Stockton-on-Tees, UK, said that eBay was notified about the second flaw – a cross site-scripting (XSS) vulnerability in eBay’s labs page. He explained how the XSS flaw can be used to display a pop-up reading “1337,” on the eBay website, the hacker lingo for “leet,” short for “elite.”

“Ebay should be on top of their stuff,” Jones said in an instant message conversation late Monday.

German security researcher Michael E has spotted another persistent cross-site scripting (XSS) vulnerability that allows the hacker to inject arbitrary HTML and JavaScript code into the eBay website to create auction pages with unauthorized JavaScript code. The malicious code in turn can steal the visitors’ account cookies, allowing attackers to hijack the users’ accounts.

The Hacker News reported that eBay “accepts the same login cookies again and again, even if the victims have logged out or reset their passwords.”

Exploiting these two XSS vulnerabilities, which are still unpatched, can give attackers permanent access to the user accounts.

The Hacker News also reported that an Egyptian security researcher Yasser H. Ali has discovered another highly critical vulnerability, but refused to elaborate on the technical details as eBay security team is yet to address the flaw.

According to the report, this vulnerability “can seriously allow an attacker to hijack millions of user accounts in bulk and this exploit could be very successful in the targeted attacks.”

The report read “As a proof of concept Mr.Yasser privately demonstrated the vulnerability step-by-step to ‘The Hacker News’ team and we confirm – IT WORKS. We promise to share the technical details of this interesting flaw, once eBay team will patch it.”