eBay XSS password-stealing security hole "existed for months"

eBayLast week an alarm was raised about a security hole on the eBay website which had caused at least one potential purchaser to be transported to a password-stealing scam instead of an auction page flogging an iPhone.

As I explain in the following video, hackers had managed to exploit an XSS (cross-site scripting) flaw in eBay to take unsuspecting users to a phishing page.

Fortunately, eagle-eyed IT consultant Paul Kerr spotted that he was being redirected a phishing page, and informed eBay's support team regarding the serious issue.

But unfortunately, eBay did nothing about it until a journalist at the BBC later got in touch.

Oh dear.

Of course, the same flaw could have been abused to not just redirect web browsers to a phishing page but to any manner of dangerous webpages, including content that might have been designed to infect users' computers with malware. And the poisoned auction listings didn't need to be selling iPhones, they could have just as easily used anything from a vintage gumball vending machine to a Whizzer and Chips 1970 Holiday Special as a lure.

At the time I worried that the flaw might have existed for some time, and that eBay's claim that it was an isolated incident might not be entirely accurate.

Sadly, it looks as though I was right to have those fears.

A new report from the BBC claims that the vulnerability has been in existence since at least February of this year, and says that several eBay users have come forward and reported that they have had similar experiences which appear to be tied to the same flaw.

BBC eBay report

One user who contacted the BBC was Paul Castle, who shared a chat transcript that he had had with eBay's support team back in February:

"I was just browsing in Digital Cameras and came across a password-harvesting scam."

"This is potentially a big security problem for eBay users. There could be hundreds."

eBay's support team responded to Castle, saying that they would escalate the concern to "higher authorities".

In further investigations, the BBC uncovered 64 listings from the past 15 days that "posed a danger to users".

None of this, of course, should ever have been allowed to happen. eBay says it has rigorous guidelines regarding the use of HTML and JavaScript on its auction listings.

eBay guidelines for HTML and Javascript

Indeed, eBay claims that it will display an error message if it determines the rules are being broken:

If you try to use scripts that we disable, you'll get an error message that says "Disallowed JavaScript/HTML Syntax". This means you can't list the item, or the script will be disabled at run-time.

To help keep our website working the way we designed it to, we don't allow using HTML or JavaScript functions that manipulate or change the way the site and its features operate.

Clearly, however, eBay's attempts to stamp out mischievous meddling in eBay listings failed and allowed the criminals to redirect users to a third-party page.

I think the underlying problem here is that eBay allows its sellers to customise auction listings too much, with too many bells and whistles and functionality that probably isn't required to sell goods online. What's wrong with having a simple photograph or two, and a text description of the goods on sale?

Why should you have to wade through ghastly-designed auction pages which look like someone has vomited a bucket's worth of ugly HTML onto the page and ended up with something which looks like a badly-designed MySpace profile? It certainly turns me off some item listings on eBay, and clearly giving users that much flexibility has also introduced some serious security issues.

There are plenty of reasons to be careful when buying items on eBay in the first place, it's disappointing to find out that you also need to keep a keen eye open for scams and malicious scripts that eBay's security team should really have stamped out in the first place.

Tags: , , , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , , , ,

4 Responses

  1. Chris Manofkent

    September 22, 2014 at 3:25 pm #

    After eBay 'donated' my personal details to the dark fraternity earlier this year, I was no longer able to view those personal details so that I could remind myself of exactly what information eBay had kindly disclosed on my behalf. It is as though by concealing that information from its rightful owner that eBay is pretending that the problem does not exist.

    eBay presumably has a corporate culture which compels all its people to be in denial, especially those at the most senior levels. If they delude themselves that there is not a problem, then there isn't as far as they are concerned.

  2. Coyote

    September 22, 2014 at 4:49 pm #

    "I think the underlying problem here is that eBay allows its sellers to customise auction listings too much, with too many bells and whistles and functionality that probably isn’t required to sell goods online. What’s wrong with having a simple photograph or two, and a text description of the goods on sale?"

    You're quite correct. I think I referred to this (maybe vaguely) in the other post you made. Indeed the problem is that they allow this customisation (which as you correctly point out is not necessary) and they clearly don't sanitise (which IS necessary) things well. Hence my satire + sarcasm in the other post (my response when referring to this update here). If they actually took care of a very common flaw in websites, they wouldn't have this problem. Yet, to them it is simply not fair (which really means they are trying to show they take it seriously but do not). Their statement, as the BBC reported it (and quotes) was:

    In a statement, eBay said it had a dedicated team working on security, but that criminals "intentionally adapt their code and tactics to try to stay ahead of the most sophisticated security systems".

    It is one thing to address the problem in a responsible manner (which includes being appreciative of the report, evaluating things in full, … and working to maintain it [1]). It is another when they make statements like the above (and other statements about how it was an isolated case (which clearly isn't true)).
    [1]I wonder if they have a proper security policy like all corporations should have? Then again, perhaps they aren't so bad, seeing as other corporations ALSO play the victim game (and claim isolated event and so on). I think it comes down to responsibility. Can't expect perfection but one would like to believe that responsibility is in play (and always striving to better themselves/customers/…).

    Simply put: they allow custom scripts as well as linking off site. Both of those are going to be (technically, just remove "going to be" and leave it at "are") problematic as has been clearly demonstrated.

  3. doktorthomas3

    September 23, 2014 at 5:41 pm #

    eBay has a laisez-faire attitude about everything except getting their money. It is no surprise their IT was unconcerned (may still be unconcerned). American IT is so far behind they can barely understand security issues… we may write the software, but others exploit it in a superior fashion at levels not envisioned.
    Catch-up, the most American game.
    I have little faith in American IT departments; no faith in anything "cloud."
    Did you know most offending bots hail from two sources: China and Amazon servers. Don't take my word; do your own research. ©2014 DoktorThomas™

  4. anonymous

    September 25, 2014 at 6:27 am #

    you should read this tweet from CERT

    https://twitter.com/certcc/status/513050689464193024

Leave a Reply