eBay XSS Vulnerability

What You Need To Know – Millions of eBay Users Exposed

Jan 14, 2016 By Sharon Solomon

Online e-commerce has become the rage. Millions of people worldwide are doing their shopping on the various online platforms. But even enormous e-commerce platforms like eBay are not immune to cybercrime, as security researcher MLT demonstrated recently. The culprit this time was Cross Site Scripting (XSS), a common application layer vulnerability that obviously was not detected/remediated during development.

What was stolen?

 

The way it looks right now, nothing was stolen. Security researcher MLT demonstrated recently on his blog how easily it is possible to execute phishing attacks on eBay. Luckily for eBay and its 159 million active users, this vulnerability was not used maliciously for real attacks. As far as we know, the ethical hacker has only exploited this flaw as a POC.

 

How was the POC attack on eBay executed?

The method used to perform this POC was Cross Site Scripting (XSS). XSS is probably at the top of the list when looking at vulnerability exploits used in the wild. The idea is very simple. Make the users think that they are looking at the regular login page while they are actually punching in their credentials in a form that is injected by a third party. All data is collected on a remote command and control server.

 

Here is how the attack was performed. MLT did the following things:

 

1 – Used WebHTTrack, dedicated mirroring software, to duplicate the eBay interface.

2 – Changed the login form inputs for the page and directed them to his PHP script.

3 – Created a malicious PHP script (payload) to execute the attack properly.

4 – Made sure all permissions were properly setup and tested everything locally.

5 – Embedded the iframe after using the javascript document.write function to write the relevant HTML content to the malicious page.

 

Once the victim entered his credentials on the phishing page, a GET request was made to log.php on MLT’s server and the inputted details were written to log.txt in plaintext format.

 

MLT’s eBay hacking POC. Courtesy: www.ret2libc.wordpress.com

 

 

What now?

eBay initially took their time to process the POC that was send to them by MLT in December 2015. But the issue was eventually patched and eBay can’t be hacked this way anymore. As mentioned earlier in this post, there have been no known live attacks exploiting this vulnerability however it is crucial for vendors to address such issues as early as possible and avoid potential attacks on their users and platforms.

 

XSS is an application layer vulnerability that can be eradicated during the development process. This can ideally be done by integrating security into the developer’s environment and automating the whole process. In other words, the organization should ideally create a secure Software Development Life Cycle (sSDLC), where security issues are treated like QA bugs and eliminated on-the-go.

 

Besides the obvious benefit of avoiding post-release embarrassments (best case) and hacking incidents (worst case), implementing automated solutions such as Static Code Analysis (SCA) allow improved ROI, better security awareness amongst developers and lesser inter-department (Security staff, development teams, management) friction within the organization.

 

Further Reading:

The following two tabs change content below.

Sharon Solomon

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.