Incident Response, TDR

eBay subdomains vulnerable to XSS attacks, researchers find


While eBay responds to a major breach impacting its users, researchers warn that other security concerns should be on the company's list of issues to resolve – namely, cross-site scripting (XSS) flaws impacting its website.

On Tuesday, Ilia Kolochenko, CEO of Swiss penetrating testing firm High-Tech Bridge, confirmed in email correspondence with that two XSS flaws afflicted one of eBay's subdomains.

In an email, Kolochenko said that exploitation of the flaws could “allow [an attacker] to steal eBay users' credentials.” Kolochenko reported the issue to eBay on Tuesday, after a running a quick check on the site's security, but asked that the specific URL of the domain remain undisclosed as eBay had yet to address the bug. 

“It would be fair to say that an average security researcher can easily find exploitable XSS on eBay within 30 minutes,” Kolochenko wrote.

Kolochenko's confirmation came just days after other researchers, Jordan Jones in the UK and a German researcher going by the name “Michael E,” revealed separate XSS bugs plaguing eBay's Research Labs page and auction page. On Friday, The Hacker News reported on the security holes, which appeared to remain open as of that day.

While a prevalent vulnerability in websites, XSS bugs are a serious issue that can result in sensitive user information being accessed by attackers. A common XSS attack method might involve a hacker using code injections to steal visitors' data, like cookies, or manipulating what victims see to trick them into inputting sensitive personal or financial information.

Just last week it was revealed that Yahoo addressed an XSS flaw which existed in the comments section of most of its websites.

On Tuesday, Ryan Moore, a spokesman at eBay, indirectly addressed the XSS bug reports, saying that the issue is “not a new type of web application vulnerability on sites such as eBay.”

He also noted that the issue was unrelated to eBay's breach announced last week. That incident reportedly impacted as many as 145 million customers, who were urged to change their passwords.

“This is related to the fact that we allow sellers to use active content like Javascript and Flash on our site,” Moore wrote of the website vulnerabilities. “Many of our sellers use active content like Javascript and Flash to make their eBay listings more attractive. However, we are aware that active content may also be used in abusive ways.”

To address these issues, the company continuously identifies and removes malicious content affecting its sites, and monitors the active content that eBay sellers use in their items descriptions, Moore explained.

“Therefore we ask anyone who believes they have detected any form of vulnerability on our site to report it immediately through our report a problem center,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.