eBay Stumbles Over Old-School Attack

Fraudsters Used Cross-Site Scripting Exploit
eBay Stumbles Over Old-School Attack

A cross-site scripting vulnerabilty at eBay.co.uk left an undetermined number of users susceptible to an attack that attempted to steal their credentials when they clicked on links within a listing offering a used iPhone for sale.

See Also: How to Mitigate Credential Theft by Securing Active Directory

Some security experts have expressed surprise that eBay wasn't already blocking all attacks of this nature. "eBay clearly dropped the ball by allowing the malicious script to find its way into auction entries - it's the kind of code which should be stripped out of its pages, so there's no possibility of any harm being done," independent security expert Graham Cluley says in a blog post.

"Although in this case it was cheap iPhones that were being used as bait to catch unwary eBay users, it could just as easily have been other items that attackers had used to lure surfers into handing over their eBay usernames and passwords."

The cross-site scripting, or XSS, attack used JavaScript embedded in the listing for an iPhone 5S, the BBC reported. If users clicked on the malicious link and the JavaScript was able to execute, then they were redirected through a series of sites to a site that looked like eBay, which requested their log-in name and password. In reality, however, the site was a fake, set up by attackers to harvest users' eBay credentials.

A Common Vulnerability

Information security experts say cross-site scripting exploits - also known as XSS attacks - have long been one of the most commonly seen online vulnerabilities. Indeed, XSSposed, a not-for-profit site that launched in June where security researchers can report cross-site scripting flaws they've found in sites, says it's already received more than 3,200 XSS vulnerability reports. Of the 2,500 sites affected by those XSS flaws, one-quarter are in the Alexa list of the world's top 50,000 sites.

Cross-site scripting attacks work when a site fails to fully validate data, including user-supplied data. "Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it," according to OWASP, which focuses on software security issues.

By exploiting this flaw, attackers can inject malicious scripts into otherwise legitimate sites and have these scripts delivered to users' browsers. "The end user's browser has no way to know that the script should not be trusted, and will execute the script," OWASP says. "Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page."

With that type of functionality on hand, cross-site scripting attacks can be quite dangerous, and indeed they're ranked third on the OWASP top 10 list of Web application security risks - trailing only injection flaws and broken authentication. "XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface websites, or redirect the user to malicious sites," OWASP says.

In a statement provided to Information Security Media Group, eBay notes: "The eBay corporate network has not been compromised. This appears to be a case of abuse by a user who placed malicious links within a few product listings on eBay.co.uk. We take the safety of our marketplace very seriously and remove listings that are in violation of our policy on third-party links."

The statement continues: "Cross-site scripting, carried out by malicious individuals, is an issue affecting sites across the Internet. The criminals behind cross-site scripting and phishing activity intentionally adapt their code and tactics to try to stay ahead of the most sophisticated security systems. Cross-site scripting is not allowed on eBay and we have a range of security features designed to detect and then remove listings containing malicious code."

How Severe an Attack?

The BBC reports that it found at least three separate listings that employed the malicious JavaScript. Furthermore, it took eBay 12 hours to excise the offending pages after first being alerted to the problem by "eBay PowerSeller" Paul Kerr, an IT professional based in Clackmannanshire, Scotland, according to the BBC.

But eBay reportedly blocked the attack only after being contacted by the BBC, and the auction site has been criticized for its apparent delay. "eBay is a large company and it should have a 24/7 response team to deal with this - and this case is unambiguously bad," Steven Murdoch, from University College London's information security research group, tells the BBC.

In its statement to ISMG, eBay states: "All the listings reported to eBay by Mr. Kerr have been fully investigated and removed on our eBay.co.uk site. Contrary to some media reports, the listings reported by Mr. Kerr were removed with 90 minutes of his original customer report."

It's not clear if eBay has yet addressed the underlying vulnerability exploited by attackers. "Even if eBay removed this particular listing from the website as the article indicated, it is not clear whether eBay fixed the root cause," according to research published by threat-intelligence firm iSight Partners. "Therefore, it is possible that other eBay pages are still vulnerable to the same attack."

Earlier Security Incidents

The news of the eBay cross-site scripting attack follows the auction site's announcement in May urging its 145 million users to change their passwords following a cyber-attack that compromised encrypted passwords and other personal information.

And in July, three Americans and three Russians were charged in a scheme that allegedly generated $1 million by compromising 1,600 accounts at eBay subsidiary StubHub. The alleged account compromise was discovered by eBay in March 2013, which said attackers used valid credentials - gleaned from data breaches and malware attacks - to use valid credit card details, registered to hacked accounts, to make purchases.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network