According to a UK researcher, eBay's site has remained vulnerable to CSRF attacks.
According to a UK researcher, eBay's site has remained vulnerable to CSRF attacks.

A serious vulnerability, which gives saboteurs the means to take over victims' accounts, plagued eBay's website for at least several months, a researcher revealed.

According to Paul Moore, a UK-based IT consultant, an eBay page where users update their profiles remained vulnerable to cross-site request forgery (CSRF) attacks long after he first notified the company about the issue in August.

Last Friday, security news service Threatpost published an article on the threat, including email correspondence from Moore, which said he'd “given up [on] asking eBay” to remediate the issue and was now focused on educating users. In September, Moore began blogging about the vulnerability.

On Monday, SCMagazine.com followed up with Moore, who said via email that he was aware that eBay had “made some changes” that afternoon to fix the issue. Moore added, however, that he planned to re-test whether the problem still impacted the site. (According to Moore's blog, eBay has said that the vulnerability was resolved in the past, while his followup research showed otherwise.)

To hijack an eBay account, a saboteur would need authentication (a victim's username and password) in addition to carrying out the CSRF attack. Via his blog post, Moore explained that the attack must be carried out during an active eBay web session as cross-site request forgery "exploits the trust a web site has in a user's browser."

Moore also detailed how an attacker could easily reset a victim's eBay password to aid in carrying out the hack.

By exploiting the CSRF vulnerability and submitting a fake form online, a hacker could change the contact number associated with a users eBay account – information that is also used to authenticate users wishing to reset their password.

"So to summarize...the hacker submits a fake form which changes your contact telephone number, runs a password reset and waits for the phone to ring,” Moore wrote. “Time required to hijack an account... [less than] 1 minute.”

To avoid falling victim to the attack, Moore recommended that users log out of their eBay accounts as soon as they are finished using the site, and that they do not visit any other sites during an active web session – even via a new tab or window.

SCMagazine.com reached out to eBay, but did not immediately hear back from the company.

UPDATE: In a Monday followup email, Moore told SCMagazine.com that the eBay site still appeared to be vulnerable as of 11:32 pm (GMT) that day. Scott Helme, a test automation engineer in the UK, re-tested the exploit.