Slashdot Mirror

← Back to Stories (view on slashdot.org)

Severe Vulnerability At eBay's Website

Posted by timothy on from the going-once-going-twice dept.

New submitter Golem.de (3664475) writes with another security problem at eBay: "The German security expert Micheal E. discovered the persistent cross-site scripting vulnerability on eBay's website about two months ago and said he reported it to Ebay immediately. Ebay ceased to answer his emails, after writing that they considered it a mostly harmless error. Micheal E. sent Golem.de a PoC demonstrating that the error that has not yet been fixed. An attacker can manipulate an official auctioning web page and insert Javascript code. By visiting the malicious web page the code is executed by the victim and could potentially be used by the attacker to to execute arbitrary actions in the victim's Ebay account and gain full control over it. There is probably no connection to the huge database theft reported a few days ago. The XSS flaw can only be used to attack one victim at a time."

41 of 60 comments (clear)

  1. Get rid of it by Anonymous Coward · · Score: 5, Funny

    Well if eBay doesn't want his exploit, perhaps he should auction it off to the highest bidder... isn't there a site for that?

  2. Sounds like the eBay I knew... by sjbe · · Score: 4, Interesting

    Ebay ceased to answer his emails, after writing that they considered it a mostly harmless error. Micheal E. sent Golem.de a PoC demonstrating that the error that has not yet been fixed.

    I used to make my living selling stuff on eBay some years ago. This sounds like par for the course when it comes to eBay's coding competence. We developed some custom software to handle our listings and other activities and to say eBay's code was poor was a gross understatement. Their security procedures were haphazard and arbitrary and they didn't seem to care much. Maybe they've gotten better in the last 7 years but based on what I'm reading lately it seems not so much.

    1. Re:Sounds like the eBay I knew... by Lisias · · Score: 1

      There's nothing so bad that could not be worse.

      eBay is going to Brazil. Guess what? I'm happy.

      Our currently "best" auction site, Mercado Livre, is so broke that sometimes I speculate if these guys are operating in bad faith (I know for sure that they would had be sued if they operated in USA).

      --
      Lisias@Earth.SolarSystem.OrionArm.MilkyWay.Local.Virgo.Universe.org
    2. Re:Sounds like the eBay I knew... by Anonymous Coward · · Score: 1

      Right, because ebay is not a software development company. They *also* need software to facilitate their core business. So, code quality just isn't to them what it would be to someone else.

      Further, as I understand, legally ebay is also not an auction house. Thus, they are not beholden to regulations intended to protect their end-users. This further reduces their incentive to invest in security.

      The "just get it working" battle cry is all too common. So long as nothing bad has happened yet...and the cash is rolling in...then the code is exactly as it should be (in their opinion).

      If top-quality code was cheap, everyone would have it. As it stands, everyone wants "cheap for me but seems tip-top to my clients." That's just the way business works.

    3. Re:Sounds like the eBay I knew... by Lisias · · Score: 1

      Hmm? Brazil and Argentina have "mercado livre" for years, and AFAICT they're ebay with a different name (same platform).

      Yep. Until not that much time ago, M.L. was a fine place to buy and sell. But from some years to now, things changed - user's support is near zero, you just can't make a complaint online. Too much rules are relaxed, what favors bad faith sellers.

      EBay was a partner until recently, but what we heard is that eBay got fed with all that and decided to do business directly around here. What is one of the best noticies we got in years : we *need* competition around here.

      I found something here to supports what I'm saying. Google translating here.

      --
      Lisias@Earth.SolarSystem.OrionArm.MilkyWay.Local.Virgo.Universe.org
    4. Re:Sounds like the eBay I knew... by TheDarkMaster · · Score: 1

      Second on that. "Mercado Livre" is pure shit. As example, if you look closely at the page for registering complaints you will realize that they only care about situations which can harm their profits, you can not even complain about other situations.

      --
      Religion: The greatest weapon of mass destruction of all time
  3. employee by gbjbaanb · · Score: 5, Insightful

    I heard the problem at eBay was that an employee's login had been compromised (via social engineering apparently, but we might never know).
    Regardless of how that happened, that an employee was able to login from a remote location shows the sad state of affairs of security today.

    When I worked at a credit reference agency, security was top priority - as if you lost someone else's data (eg a banks) then said bank would withdraw your access to their data, and that meant you couldn't continue to do business.

    So we had the production servers in a datacentre that were physically disconnected to the internet. You wanted to update your SQL, someone had to go there (it was very close :) ) to update things. The only connection to the outside world was the web servers, and they had access solely to locked-down services that in turn solely had access to the parts of the DB that they needed to read from.

    Layers of security like this mean that if you get your web site hacked (as happens, frequently) the attacker cannot do much damage. They must hack the services layer as well (which means attacking the OS they run on, through a very narrow firewall) and even then they would have to hack the OS security to gain access to a limited section of data. They'd have to further hack the DB to get access to all the data.

    So no-one could ever realistically dump the entire user table in that system. Why anyone lets websites do less is a mystery to me.

    Note: Even so-called "security editors" fall intot he camp of thinking layered security is not necessary. In this ArsTechnica story, the 'promoted comment' describes a riposte where the poster says the web server needs a direct connection to the web server!!! I can understand some junior web dev thinking it, I can't imagine anyone who knows security taking it seriously, yet many did. This is why we have breach after breach.

    1. Re:employee by Anonymous Coward · · Score: 1

      Don't be too proud of yourself.

      I went to a Defcon presentation showing a website that used REST services. With the REST services they were able to run any command they wanted to on the DB backend, through the firewall without compromising the OS or showing the web server doing anything strange. They backed up the DB and sent it to themselves with the default REST calls Java provided. It was actually that bad of a security hole, but required Java REST services providing the web pages.

      A week later at my work we had a contractor come in and propose a solution that provided the same vulnerability. Had I not been to Defcon we would have probably had the same problem and never known.

    2. Re:employee by richlv · · Score: 1

      "web server needs a direct connection to the web server" - i assume you meant "database server" in the last one.

      so how do you code a website like ebay without accessing the database ? what's the point of disconnected servers - do you get somebody manually bringing requests to/from the webservers ? that would make search rather slow...

      --
      Rich
    3. Re:employee by tlhIngan · · Score: 1

      I heard the problem at eBay was that an employee's login had been compromised (via social engineering apparently, but we might never know).
      Regardless of how that happened, that an employee was able to login from a remote location shows the sad state of affairs of security today.

      You know of things like "teleworking" or "telecommuting" right? And some companies, especially technology ones, tend to have a LOT of people who do that. Heck, they may not even live in the same COUNTRY as the company. In fact, most technology companies generally have "forward thinking" when they do it. See Yahoo when their new CEO cancelled all telecommuting. It's often encouraged by companies too.

      So remote logins are a way of life. Most companies have it, even ones that don't do telework because employees may need to travel and access resources back at HQ.

      So remote logins are a fact of life. eBay is no different.

      Now, there may be plenty of ways to get at the data - we know it's possible because eBay users have to, well, be able to update their addresses, phone numbers, etc. online. Perhaps once on the network they could phish for someone with the right credentials (if they socially engineered their way into one person's account, there's probably plenty more victims).

      And thus comes the great security issue. How to let anyone and everyone read and write a particular record (i.e., a user to review, update and pass on information (like shipping addresses)) of a database, while keeping the database off of the internet.

    4. Re:employee by Pinky's+Brain · · Score: 1

      Why do you say "the" database? They at the very least need 2 already. IMO payment data and logins need to be behind narrow firewalls with very limited pure socket (ie. not database) interfaces to the outside (why open yourself up to flaws in the database interfaces when you only need trivial queries?). Might as well split those up into two while you're at it.

    5. Re:employee by Pinky's+Brain · · Score: 1

      Give each employee who teleworks a dedicated computer with hardware VLAN which he is only allowed to use on that VLAN (ie. no USB ports, no internet, no nothing ... if he wants to copy/paste something to it from another source sysadmins have to get involved).

      It's the only reasonable way to allow telework on systems like this ... if you want to BYOD for that you should be redirected to the unemployment office.

    6. Re:employee by richlv · · Score: 1

      true, but parent said "So we had the production servers in a datacentre that were physically disconnected to the internet." - how should that work for products that do not do massive offline data crunching, i do not know...

      --
      Rich
    7. Re:employee by RubberDogBone · · Score: 1

      eBay slipped on this one because they detected the compromised account as merely a misuse of employee web privileges, a minor sort of issue perhaps to be mentioned by said employee's manager at their next review. Nobody noticed the scope of the issue until much later.

      Anyway, remote employees are the rule everywhere these days. They're either the boss working from home or minions unworthy to have a company desk, or all the jobs that have been outsourced.

      The plenty of projects going on these days where not a single person involved is actually in a physical office owned or operated by the actual companies involved.

      I recently worked on a large IT project with one the huge IT companies you've heard of. While their main project manager was based domestically where the work was taking place, the ENTIRE remaining participation from huge IT was offshored. Most of the other third-party contractors (and there were a LOT of them on this, all touching extremely sensitive data) were also offshore. The contractor I worked for, ironically, is a foreign-owned company but all of our people on this one were domestic.

      --
      Sig for hire.
    8. Re:employee by LoztInSpace · · Score: 1

      You actually should have your web "site" running in a DMZ with no connections other than back to your service layer. It is this layer in on a different LAN that has access to and DBs (ideally just enough, but in practice often to the entire DB) and other resources. The services can only perform operations intended to be used by the site, so unless there's a "give me a list of all users" requirement, it's not going to happen.

      So in a way, yes, there is a request to & from web servers but it's software not people :)

    9. Re:employee by richlv · · Score: 1

      sure. but how do you have backend servers "physically disconnected to the internet." ?

      that seems to be either an ignorant claim, or a flamebait :)

      --
      Rich
  4. Most big businesses are staffed by idiots... by Anonymous Coward · · Score: 5, Informative

    ...but run by excellent salespeople.

    Capitalism is 90% salesmanship.

    1. Re:Most big businesses are staffed by idiots... by TheGratefulNet · · Score: 4, Funny

      Capitalism is 90% salesmanship.

      and the other 12% is math.

      --

      --
      "It is now safe to switch off your computer."
  5. erm.. by tero · · Score: 1

    So how about a write-up in English Mr. Golem?

    1. Re:erm.. by Zontar+The+Mindless · · Score: 1

      Yeah, how about a write-up in English?

      --
      Il n'y a pas de Planet B.
  6. Fuck ePay by ArchieBunker · · Score: 4, Informative

    ePay is so hostile for anyone selling casually its no longer worth your time. Paypal now holds onto your funds for weeks if you haven't sold anything recently and your feedback score or number of auctions makes no difference. No matter what small item is sold everyone complains. As a seller you'll automatically lose any complaint filed against you. People overpay for items and then complain something is wrong and then pick arbitrary partial refund values. The auction fees themselves have gotten ridiculous, over 10% on small items. As a buyer you won't find any auction deals. That time has long past. Now its mostly a marketplace for Chinese storefronts.

    Why can't someone come up with an alternative? Google has a payment system up and running so why can't they make a competitor?

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
    1. Re:Fuck ePay by ArcadeMan · · Score: 1

      Google's payment system only work in a handful of countries. PayPal works almost everywhere on the planet.

      --
      Get free satoshi (Bitcoin) and Dogecoins
    2. Re:Fuck ePay by nabsltd · · Score: 2

      Paypal now holds onto your funds for weeks if you haven't sold anything recently and your feedback score or number of auctions makes no difference.

      There must be something that makes a difference, as I hadn't sold anything in years, but recently sold over $1000 of server hardware and the money was available to me immediately. I have perfect feedback, and used to sell a lot, when eBay was mostly private individuals.

      As a buyer you won't find any auction deals.

      I still buy sometimes, if I know exactly what I want (searching without the right keywords can lead to lots of useless results). I have found some great deals, again mostly on server hardware, but often on "accessories" for other items that are the standard high markup items (batteries, cables, etc.). eBay isn't perfect by any means, but it still has a place in my online shopping world.

    3. Re:Fuck ePay by Gaygirlie · · Score: 1

      PayPal screws people over almost everywhere on the planet.

      TFTFY.

      Tbh, PayPal works great if you just use it for payments. I have never sold anything on the Internet, so I have no experience with such stuff, but I use PayPal to pay for stuff all the damn time and I find it just absolutely god damn great for that. I certainly don't want to spread my credit card details all over the Internet and no other payment system comes even close to reaching all the places PayPal does.

    4. Re:Fuck ePay by tlhIngan · · Score: 1

      ePay is so hostile for anyone selling casually its no longer worth your time. Paypal now holds onto your funds for weeks if you haven't sold anything recently and your feedback score or number of auctions makes no difference. No matter what small item is sold everyone complains. As a seller you'll automatically lose any complaint filed against you. People overpay for items and then complain something is wrong and then pick arbitrary partial refund values. The auction fees themselves have gotten ridiculous, over 10% on small items. As a buyer you won't find any auction deals. That time has long past. Now its mostly a marketplace for Chinese storefronts.

      Why can't someone come up with an alternative? Google has a payment system up and running so why can't they make a competitor?

      Because Google Wallet is effectively a merchant account. And merchant accounts aren't available to every Joe Blow on the street (unlike Paypal, which allows anyone to send a credit card payment to anyone else).

      And Paypal's policies aren't actually out of line with merchant accounts - did you know that a vendor accepting credit cards is liable for transactions up to 6 months in the future? And that when a chargeback occurs, you are required to show proof of transaction (so keep those receipts neatly filed!) which have to be sent as proof.

      Google Wallet, Amazon Payments, etc., they all require pre-qualification in order to open an account and get payments. If you're only selling some random vase on eBay once a year, you pretty much can't open an account (there are big fees to be paid for not hitting minimum monthly transaction amounts - which are usually quite low, e.g., $500 in credit charges a month).

      It's why eBay+Paypal go well together because sending money by mail is an anachronism for online shopping.

      That, and Paypal supports opening a receiving account almost anywhere around the world. Google Wallet and Amazon are limited because of local regulations that make it harder to be one generic face of payment systems. (Once you have an account, you can accept payment from anywhere).

      The only other alternative is to create a new payment scheme that allows people to send and receive money from each other. Like Bitcoin, but to also make it convenient on everyone concerned.

    5. Re:Fuck ePay by Aighearach · · Score: 1

      I recommend craigslist + amazon payments

    6. Re:Fuck ePay by thegarbz · · Score: 1

      There must be something that makes a difference, as I hadn't sold anything in years, but recently sold over $1000 of server hardware and the money was available to me immediately.

      There is a difference. When they rolled the 24 sided die your number was the lucky number 7. The other 23 people are still waiting for their funds to be freed up.

      Joking aside I see absolutely zero pattern. I've bought and sold without problem. I've received refunds and filed complaints without problem. Then randomly one day I get a refund for $30 because the seller didn't actually have in stock the item he was selling and Paypal holds my funds for 30 days with no offer for recourse. It wasn't even a case of Paypal was not paying out, they withheld my money with no reason given. Even when I made a payment it took a fresh amount of dollars off my card.

      After about 2 weeks I got a reply to my complaint and they dared to feed me some bullshit about waiting for funds to clear from Visa. A quick google search will show they do this seemingly at random to people all over the world and never with an explanation.

    7. Re:Fuck ePay by TheDarkMaster · · Score: 1

      That and the fact that governments actually do not like the idea of having people transferring money to each other through a system like Paypal, where they do not have the same control they have when payments are made by traditional means. Especially in my country where the government would prefer that the citizens would be prohibited from buying overseas.

      --
      Religion: The greatest weapon of mass destruction of all time
    8. Re:Fuck ePay by mpe · · Score: 1

      That and the fact that governments actually do not like the idea of having people transferring money to each other through a system like Paypal, where they do not have the same control they have when payments are made by traditional means. Especially in my country where the government would prefer that the citizens would be prohibited from buying overseas.

      If you qualify this as "buying certain things overseas" that covers the vast majority of governments. Also transnational businesses also tend to want to prevent "customer globalization". Probably they do lots of lobbying of various governments towards this end.

    9. Re:Fuck ePay by rainmaestro · · Score: 2

      And let's not forget the fact that you can't leave negative feedback for a shitty buyer anymore. Or get a negative feedback rescinded. I have a negative on my seller account from a buyer who didn't like the size of the address label I put on the shipping box, a negative which eBay refused to remove.

      A few years back I had a package returned unopened. Emailed the buyer to see what happened (thinking maybe I had the address wrong). No reply. Kept sending emails, about three weeks later I finally get a response: "Oh, I changed my mind and decided I didn't want the item anymore. I've filed a chargeback with my credit card company for it." Eventually, I got the contact from Paypal informing me of the disputed transaction. Her claim with her CC company was that it was an unauthorized charge. I sent everything I had (including that email chain) to Paypal. Naturally, I lost (I always expect to lose as a seller). And I couldn't leave a negative feedback for the buyer.

      That was the last time I gave eBay any of my business. As long as they continue to operate like they do, I'll never buy or sell an item on there again.

    10. Re:Fuck ePay by TheDarkMaster · · Score: 1

      Nothing illegal. Mundane things like computer equipment, some clothes, cars, and other items that are much cheaper abroad than in my country. (here you ALWAYS pay twice what a car is worth). But as you know, globalization only applies to businesses, to consumers what happens is feudalism.

      --
      Religion: The greatest weapon of mass destruction of all time
  7. Not too convincing... by newfurniturey · · Score: 4, Insightful

    The linked article has zero information regarding this attack and instead focuses on eBay's attack history; once more, it also links to it's own eBay page so +1 for that.

    The one hint it does include is a picture and in the picture you can see that the JavaScript is being inserted into the title of the listing (not sure if that's the actual vulnerability or not though). However, as a security researcher, showing a PoC against a large company requires more than a simple alert(1) and instead should use something such as alert(document.domain). The reason for document.domain is because it will show what hostname the JavaScript is executing under - which means everything when it comes to security.

    If this is really an XSS hole and eBay comes back with "it's not that bad", there's a good chance that the JavaScript is executing in an iframe on a separate domain which means attackers would not have important access such as a user's cookies / etc. Instead, they'll only be able to execute arbitrary JavaScript (which is bad, but nothing worse than setting up a bad domain and using SEO tricks to drive traffic to it).

    Can anyone find a more relevant article that spills out the actual details of this, or maybe one that includes the actual PoC this researcher has created?

  8. The power of network effects by sjbe · · Score: 1

    Google has a payment system up and running so why can't they make a competitor?

    Because Google is an advertising company, eBay's profit margins are half of Google's, and Google has no realistic chance at taking over eBay's business anyway short of buying them outright. EBay is a great example of the power of the networking effect. They aren't particularly good at technology but they have the network effect working for them big time. It's the place with the most sellers and the most buyers so it is REALLY hard to displace them because anywhere else you aren't as likely to get a sale. Amazon (sorta) tried. Google (sorta) tried. There are plenty of other auction sites but the only thing that is likely to displace eBay is screw ups by eBay.

  9. Re:Proofread... by Soulskill · · Score: 1

    Just fixed this, thanks.

  10. Re:Proofread... by Anonymous Coward · · Score: 1

    This is /. -- they have no standards.

    Hell, they let us post here.

  11. eBay !!! by PhilipCohen · · Score: 1

    I wonder, apart from the AGM, and the furious bailing required to keep the rusting old scow afloat, what else has been going on at eBay between February and May? Then, we have to appreciate that there is little intelligent life on planet eBay at or below the executive suite level. Most of the communications (both voice and certainly email) you have with eBay are undoubtedly with computer algorithms, and not very smart ones at that; so, one has to presume that even any regular algorithmic analysis by eBay of their communications logs is woeful and that anyone of any intelligence only glances at these logs maybe once every quarter; frankly, I suspect that we are lucky that eBay has even noticed that they have been hacked, for if there is a log of such hacking, why did they not notice it immediately and notify stakeholders promptly? And thatÃ(TM)s a rhetorical question, no need to offer an answer æ eBay Inc, where the incompetent mingle with the malevolent and the criminal ... http://www.ecommercebytes.com/...

  12. eBay! by PhilipCohen · · Score: 1

    I wonder, apart from the AGM, and the furious bailing required to keep the rusting old scow afloat, what else has been going on at eBay between February and May? Then, I suppose we have to accept that there is little intelligent life on planet eBay at or below the executive suite level. Most of the communications (both voice and certainly email) you have with eBay are undoubtedly with computer algorithms, and not very smart ones at that; so, one has to presume that even any regular algorithmic analysis by eBay of their communications logs is woeful and that anyone of any intelligence only glances at these logs maybe once every quarter; frankly, I suspect that we are lucky that eBay has even noticed that they have been hacked, for if there is a log of such hacking, why did they not notice it immediately and notify stakeholders promptly? And thatÃ(TM)s a rhetorical question, no need to offer an answer æ eBay Inc, where the incompetent mingle with the malevolent and the criminal ... http://www.ecommercebytes.com/...

  13. That's excessive by cbhacking · · Score: 1

    Oh come on, there are plenty of perfectly reasonable compromises you can make there. For example, require that the user have an additional authentication factor for remote login. TOTP (things like Google Authenticator) is popular, but (physical) smart cards are more secure.

    Make it so that remote login can only be performed from a machine which has a client certificate on it that is tied to the user in question. There are a range of ways to do this, of varying degrees of usability vs. security/paranoia. Putting the cert only on a work-issued machine that is pre-loaded for telecommuting is one option; automatically installing it on any device that the user brings onto the corporate network (including personal laptops) is another. Even the weakest option of this flavor is still vastly more secure than most companies, but at relatively little cost. Combine it with multi-factor auth, and you've got a damn secure system without sacrificing much usability at all.

    For the record, my employer does this. Remote work is not only accepted but actually required in my profession, so our work-issued laptops come with a user-specific client certificate and our new-hire process includes configuring a TOTP generator (usually a phone app) for the VPN. VPN thus requires my computer (for the cert), my phone (for the TOTP/authenticator value), my VPN password, and for good measure also my laptop's user account password (the private key for the cert is transparently encrypted with a key derived from my password), BitLocker password, and phone's PIN. The combination of theft, password-cracking, and social engineering required to obtain all this is truly awesome, yet the actual process of remote login only takes about 30 seconds once I'm logged in (requiring BitLocker, and therefore requiring hibernate instead of suspend, costs me significantly more time).

    --
    There's no place I could be, since I've found Serenity...
    1. Re:That's excessive by Pinky's+Brain · · Score: 1

      Why steal all that shit when they can just own your computer with some zero day and wait for you to go to the bathroom?

  14. eBay Really Doesn't Give a Flying F*ck by MedSpark · · Score: 1

    Although I've used eBay extensively for the last decade, I came to this conclusion about 6 months ago when I stumbled upon a new user who was attempting to sell about $200,000 of fake equipment. I knew the seller didn't own the items, as one of the higher-priced items listed pictures of the device that our company owns. The device itself is exceedingly rare and the pictures were taken in our facility. I called eBay no less than 4 times and spent about an hour each time working my way up their chain of supervisors. They always thanked me so much for informing them of the situation, but in reality they were blowing smoke up my ass. I watched as nearly $180,000 of fake equipment was sold to unsuspecting eBayers. They all left negative feedback for the auctions, stating that they had been ripped off. And when I called eBay to inform then of the error of their ways, they again thanked me and said they would fix the situation. Months have passed now and the user's account is still active. The moral of the story: eBay could give a crap about you, so you'd better cover your own ass.

    --
    Innovation Ignited
  15. This isn't anything new by WD · · Score: 1

    I published a note about this approximately 8 years ago: http://www.kb.cert.org/vuls/id...