Slashdot Mirror
Severe Vulnerability At eBay's Website
New submitter Golem.de (3664475) writes with another security problem at eBay: "The German security expert Micheal E. discovered the persistent cross-site scripting vulnerability on eBay's website about two months ago and said he reported it to Ebay immediately. Ebay ceased to answer his emails, after writing that they considered it a mostly harmless error. Micheal E. sent Golem.de a PoC demonstrating that the error that has not yet been fixed. An attacker can manipulate an official auctioning web page and insert Javascript code. By visiting the malicious web page the code is executed by the victim and could potentially be used by the attacker to to execute arbitrary actions in the victim's Ebay account and gain full control over it. There is probably no connection to the huge database theft reported a few days ago. The XSS flaw can only be used to attack one victim at a time."
Well if eBay doesn't want his exploit, perhaps he should auction it off to the highest bidder... isn't there a site for that?
Ebay ceased to answer his emails, after writing that they considered it a mostly harmless error. Micheal E. sent Golem.de a PoC demonstrating that the error that has not yet been fixed.
I used to make my living selling stuff on eBay some years ago. This sounds like par for the course when it comes to eBay's coding competence. We developed some custom software to handle our listings and other activities and to say eBay's code was poor was a gross understatement. Their security procedures were haphazard and arbitrary and they didn't seem to care much. Maybe they've gotten better in the last 7 years but based on what I'm reading lately it seems not so much.
I heard the problem at eBay was that an employee's login had been compromised (via social engineering apparently, but we might never know).
Regardless of how that happened, that an employee was able to login from a remote location shows the sad state of affairs of security today.
When I worked at a credit reference agency, security was top priority - as if you lost someone else's data (eg a banks) then said bank would withdraw your access to their data, and that meant you couldn't continue to do business.
So we had the production servers in a datacentre that were physically disconnected to the internet. You wanted to update your SQL, someone had to go there (it was very close :) ) to update things. The only connection to the outside world was the web servers, and they had access solely to locked-down services that in turn solely had access to the parts of the DB that they needed to read from.
Layers of security like this mean that if you get your web site hacked (as happens, frequently) the attacker cannot do much damage. They must hack the services layer as well (which means attacking the OS they run on, through a very narrow firewall) and even then they would have to hack the OS security to gain access to a limited section of data. They'd have to further hack the DB to get access to all the data.
So no-one could ever realistically dump the entire user table in that system. Why anyone lets websites do less is a mystery to me.
Note: Even so-called "security editors" fall intot he camp of thinking layered security is not necessary. In this ArsTechnica story, the 'promoted comment' describes a riposte where the poster says the web server needs a direct connection to the web server!!! I can understand some junior web dev thinking it, I can't imagine anyone who knows security taking it seriously, yet many did. This is why we have breach after breach.
...but run by excellent salespeople.
Capitalism is 90% salesmanship.
So how about a write-up in English Mr. Golem?
ePay is so hostile for anyone selling casually its no longer worth your time. Paypal now holds onto your funds for weeks if you haven't sold anything recently and your feedback score or number of auctions makes no difference. No matter what small item is sold everyone complains. As a seller you'll automatically lose any complaint filed against you. People overpay for items and then complain something is wrong and then pick arbitrary partial refund values. The auction fees themselves have gotten ridiculous, over 10% on small items. As a buyer you won't find any auction deals. That time has long past. Now its mostly a marketplace for Chinese storefronts.
Why can't someone come up with an alternative? Google has a payment system up and running so why can't they make a competitor?
Only the State obtains its revenue by coercion. - Murray Rothbard
This is what happens when you allow scripting into documents of any type: Guess the webboys didn't learn a thing from Ms Word or Excel macros (which @ least for those you could hold down the shiftkey @ opening time to disable them from executing - good luck doing that on webpages, unless you disable them using javascript wholesale (good luck that in IE minus bitching or FF minus NoScript - only Opera 12.x & below series afaik natively allows "by site" preferences for it which is native to it, no addons bloating resources consumption required)). It was a totally dumb thing to move away from CGI Bins/WinCGI server-side execution merely sending back a result to a browser client in true client-server fashion, where the biggest risk is if the DBA & WebServer Admins *might* not have secured the database or website properly.
The linked article has zero information regarding this attack and instead focuses on eBay's attack history; once more, it also links to it's own eBay page so +1 for that.
The one hint it does include is a picture and in the picture you can see that the JavaScript is being inserted into the title of the listing (not sure if that's the actual vulnerability or not though). However, as a security researcher, showing a PoC against a large company requires more than a simple alert(1) and instead should use something such as alert(document.domain). The reason for document.domain is because it will show what hostname the JavaScript is executing under - which means everything when it comes to security.
If this is really an XSS hole and eBay comes back with "it's not that bad", there's a good chance that the JavaScript is executing in an iframe on a separate domain which means attackers would not have important access such as a user's cookies / etc. Instead, they'll only be able to execute arbitrary JavaScript (which is bad, but nothing worse than setting up a bad domain and using SEO tricks to drive traffic to it).
Can anyone find a more relevant article that spills out the actual details of this, or maybe one that includes the actual PoC this researcher has created?
The other 10% is bribery (now called "lobbying")
Google has a payment system up and running so why can't they make a competitor?
Because Google is an advertising company, eBay's profit margins are half of Google's, and Google has no realistic chance at taking over eBay's business anyway short of buying them outright. EBay is a great example of the power of the networking effect. They aren't particularly good at technology but they have the network effect working for them big time. It's the place with the most sellers and the most buyers so it is REALLY hard to displace them because anywhere else you aren't as likely to get a sale. Amazon (sorta) tried. Google (sorta) tried. There are plenty of other auction sites but the only thing that is likely to displace eBay is screw ups by eBay.
"There is probably no connection to the reported a few days ago"
To the WHAT reported a few days ago?
So am I right in saying, provided one hasn't used eBay in a long time (+3 years) to buy anything, and when they did they were careful to select sellers with very good feedback, and one has not noticed any unusual behaviour in their account since, the `likelihood` of them being hit with this vulnerability is significantly lower than others ?
It's not a severe vulnerability. It's an ordinary vulnerability.
I do web application code reviews and very rarely find web applications without a few persisted XSS vulnerabilities.
This guy should have gone to HP Tipping Point ZDI (where they will BUY your vulnerability from you) instead of a clumsy zeroday disclosure on Slashdot. Some people have no class.
I agree. I needed to sell a bunch of phones for my company, and it was a fucking nightmare. I had to continue to call Ebay to increase my selling limit, increase selling limit for items, increase selling limit for item category, etc. Why the fuck won't they just let me sell? Paypal screws over the buyer, and their fees screw over the seller. Fuck Ebay.
"eBay "database" up for sale after hack"
http://www.channelnewsasia.com/news/singapore/ebay-database-up-for-sale/1118938.html
ÃoeChannel NewsAsia called up some of the local numbers and found them to be genuine.Ã
ÃoeAn eBay spokesman adds: "The published lists we have checked are not authentic eBay accounts."Ã
Hmmm, now who should we believe?
Fortunately, we can always tell when an eBay or "PreyPal" spokesperson is being disingenuousÃ"their lips are moving! ...
http://www.ecommercebytes.com/forums/vbulletin/showthread.php?24736-Shill-Bidding-on-eBay-Case-Study-5
I wonder, apart from the AGM, and the furious bailing required to keep the rusting old scow afloat, what else has been going on at eBay between February and May?
Then, we have to appreciate that there is little intelligent life on planet eBay at or below the executive suite level. Most of the communications (both voice and certainly email) you have with eBay are undoubtedly with computer algorithms, and not very smart ones at that; so, one has to presume that even any regular algorithmic analysis by eBay of their communications logs is woeful and that anyone of any intelligence only glances at these logs maybe once every quarter; frankly, I suspect that we are lucky that eBay has even noticed that they have been hacked, for if there is a log of such hacking, why did they not notice it immediately and notify stakeholders promptly? And thatÃ(TM)s a rhetorical question, no need to offer an answer æ
eBay Inc, where the incompetent mingle with the malevolent and the criminal ...
http://www.ecommercebytes.com/forums/vbulletin/showthread.php?24736-Shill-Bidding-on-eBay-Case-Study-5
I wonder, apart from the AGM, and the furious bailing required to keep the rusting old scow afloat, what else has been going on at eBay between February and May? Then, we have to appreciate that there is little intelligent life on planet eBay at or below the executive suite level. Most of the communications (both voice and certainly email) you have with eBay are undoubtedly with computer algorithms, and not very smart ones at that; so, one has to presume that even any regular algorithmic analysis by eBay of their communications logs is woeful and that anyone of any intelligence only glances at these logs maybe once every quarter; frankly, I suspect that we are lucky that eBay has even noticed that they have been hacked, for if there is a log of such hacking, why did they not notice it immediately and notify stakeholders promptly? And thatÃ(TM)s a rhetorical question, no need to offer an answer æ eBay Inc, where the incompetent mingle with the malevolent and the criminal ...
http://www.ecommercebytes.com/...
I wonder, apart from the AGM, and the furious bailing required to keep the rusting old scow afloat, what else has been going on at eBay between February and May? Then, I suppose we have to accept that there is little intelligent life on planet eBay at or below the executive suite level. Most of the communications (both voice and certainly email) you have with eBay are undoubtedly with computer algorithms, and not very smart ones at that; so, one has to presume that even any regular algorithmic analysis by eBay of their communications logs is woeful and that anyone of any intelligence only glances at these logs maybe once every quarter; frankly, I suspect that we are lucky that eBay has even noticed that they have been hacked, for if there is a log of such hacking, why did they not notice it immediately and notify stakeholders promptly? And thatÃ(TM)s a rhetorical question, no need to offer an answer æ eBay Inc, where the incompetent mingle with the malevolent and the criminal ...
http://www.ecommercebytes.com/...
Oh come on, there are plenty of perfectly reasonable compromises you can make there. For example, require that the user have an additional authentication factor for remote login. TOTP (things like Google Authenticator) is popular, but (physical) smart cards are more secure.
Make it so that remote login can only be performed from a machine which has a client certificate on it that is tied to the user in question. There are a range of ways to do this, of varying degrees of usability vs. security/paranoia. Putting the cert only on a work-issued machine that is pre-loaded for telecommuting is one option; automatically installing it on any device that the user brings onto the corporate network (including personal laptops) is another. Even the weakest option of this flavor is still vastly more secure than most companies, but at relatively little cost. Combine it with multi-factor auth, and you've got a damn secure system without sacrificing much usability at all.
For the record, my employer does this. Remote work is not only accepted but actually required in my profession, so our work-issued laptops come with a user-specific client certificate and our new-hire process includes configuring a TOTP generator (usually a phone app) for the VPN. VPN thus requires my computer (for the cert), my phone (for the TOTP/authenticator value), my VPN password, and for good measure also my laptop's user account password (the private key for the cert is transparently encrypted with a key derived from my password), BitLocker password, and phone's PIN. The combination of theft, password-cracking, and social engineering required to obtain all this is truly awesome, yet the actual process of remote login only takes about 30 seconds once I'm logged in (requiring BitLocker, and therefore requiring hibernate instead of suspend, costs me significantly more time).
There's no place I could be, since I've found Serenity...
Although I've used eBay extensively for the last decade, I came to this conclusion about 6 months ago when I stumbled upon a new user who was attempting to sell about $200,000 of fake equipment. I knew the seller didn't own the items, as one of the higher-priced items listed pictures of the device that our company owns. The device itself is exceedingly rare and the pictures were taken in our facility. I called eBay no less than 4 times and spent about an hour each time working my way up their chain of supervisors. They always thanked me so much for informing them of the situation, but in reality they were blowing smoke up my ass. I watched as nearly $180,000 of fake equipment was sold to unsuspecting eBayers. They all left negative feedback for the auctions, stating that they had been ripped off. And when I called eBay to inform then of the error of their ways, they again thanked me and said they would fix the situation. Months have passed now and the user's account is still active. The moral of the story: eBay could give a crap about you, so you'd better cover your own ass.
Innovation Ignited
I published a note about this approximately 8 years ago: http://www.kb.cert.org/vuls/id...