Swindlers using new CSS method attack eBay

Swindlers have apparently managed to manipulate descriptions of goods on eBay so that they can change or overwrite any item numbers and the advertiser's email address. This hasn't just misled bidders: it's thought that eBay's measures to protect against fraudulent auctions have been outsmarted.

The swindlers use a cross-site scripting attack in conjunction with the XML Binding Language (XBL), which allows elements in an HTML document containing scripts, style sheets and other objects to be linked to another web site. However, precisely where the error lies is still unknown.

Although the developer Cefn Hoile has sparked off a discussion in the Firefox bug database about a vulnerability in the browser, an attacker would get nowhere without the ability to link his own code to eBay. It is possible to reload cascading style sheets (CSS) from other Web sites into an advertiser's own auctions, although it shouldn't really be possible to reload JavaScript. Nevertheless, it's reported to be possible to reload and run prohibited scripts by using a certain function.

eBay now claims to have eliminated the problem on its pages, while Firefox's developers are thinking about developing a patch to contain it. However, they point out that this attack doesn't exploit a vulnerability in the browser, nor, for example, does it violate the same-origin policy. On the contrary, they say, the danger of content being embedded from other pages has been known for years, and eBay simply ought to improve its filtering, or checking, of downloaded content.

Other pages that permit the embedding of code and the reloading of CSS are also affected by the problem. Its claimed that Internet Explorer versions 6 and 7 are vulnerable to such attacks.

(trk)