Cross-Site Scripting at ebay.co.uk

Recently a cross-site scripting vulnerability at ebay.co.uk left users susceptible to an attack that attempted to steal their credentials when clicking on links within a listing offering. For such a big corporation to not be blocking this type of vulnerabilities is really appalling to some security experts as this is not a new type of vulnerability.

The XSS attack used JavaScript embedded within the listing, and if the user clicked on the malicious link and the script was able to execute (e.g. the user wasn’t using NoScript for example) it would redirect them to a site that looks like eBay requesting their login information. The site of course was a fake setup to harvest user credentials.

The BBC reports that it found at least three separate listings using the malicious JavaScript. Furthermore, it took eBay approximately 12 hours to take down the pages after first being alerted of the problem by one user. The number of affected users is undetermined but given the response time one might assume that the number could be quite high.

Source: http://www.databreachtoday.com/ebay-stumbles-over-old-school-attack-a-7333/op-1

Advertisements