eBay Had An XSS Bug

Hi all,

A scam with a very similar eBay login page and a URL starting with ebay.com is tricking users into entering their usernames and passwords. But once the credentials are entered an error message is displayed and credentials are stolen. Last Monday, eBay had patched the XSS (Cross-Site Scripting) vulnerability that hackers could have used to inject parasitic code into its sign-in page.

It was reported that a researcher, who goes by the name MLT discovered this flaw and informed it to eBay on the 11 of December 2015. MLT followed with a post titled “A tale of eBay XSS and shoddy incident response” explaining how he was able to exploit it and how eBay didn’t respond promptly to his report.

However, an eBay spokesperson has said that it was a miscommunication and that MLT followed up on his initial bug report with “a different email alias.”

In a post, MLT demonstrated it in a video.

The log-in page of eBay has a URL parameter in its address and the contents of that parameter are written in to the page before it’s shown to the user. This URL parameter has not been checked allowing anybody to insert their own code alongside the parameter. It wouldn’t modify the page permanently but could get users to click poisoned links so the credentials can be stolen. These flaws can be quite dangerous because these can be used to create invisible phishing attacks. These are difficult to spot because it requires the user to carefully read the entire URL and have the technical knowledge to understand the script.

eBay’s had an XSS bugs before as well

Researcher Jaanus Kääp found in April 2015,  that a bug he’d reported to eBay over a year earlier was still not fixed. In a post, he explained that this was a serious bug that was able to allow an attacker to carry out an XSS attack over eBay’s internal messaging system by catching and tweaking a request. According to him, it was an easy issue to fix and eBay has fixed it in September.


The safest way is not to click on links in emails and if you need to visit a website to type it directly to the browser.


Source: Akati

Comments are closed.