Slashdot Mirror

← Back to Stories (view on slashdot.org)

Severe Vulnerability At eBay's Website

Posted by timothy on from the going-once-going-twice dept.

New submitter Golem.de (3664475) writes with another security problem at eBay: "The German security expert Micheal E. discovered the persistent cross-site scripting vulnerability on eBay's website about two months ago and said he reported it to Ebay immediately. Ebay ceased to answer his emails, after writing that they considered it a mostly harmless error. Micheal E. sent Golem.de a PoC demonstrating that the error that has not yet been fixed. An attacker can manipulate an official auctioning web page and insert Javascript code. By visiting the malicious web page the code is executed by the victim and could potentially be used by the attacker to to execute arbitrary actions in the victim's Ebay account and gain full control over it. There is probably no connection to the huge database theft reported a few days ago. The XSS flaw can only be used to attack one victim at a time."

3 of 60 comments (clear)

  1. Get rid of it by Anonymous Coward · · Score: 5, Funny

    Well if eBay doesn't want his exploit, perhaps he should auction it off to the highest bidder... isn't there a site for that?

  2. employee by gbjbaanb · · Score: 5, Insightful

    I heard the problem at eBay was that an employee's login had been compromised (via social engineering apparently, but we might never know).
    Regardless of how that happened, that an employee was able to login from a remote location shows the sad state of affairs of security today.

    When I worked at a credit reference agency, security was top priority - as if you lost someone else's data (eg a banks) then said bank would withdraw your access to their data, and that meant you couldn't continue to do business.

    So we had the production servers in a datacentre that were physically disconnected to the internet. You wanted to update your SQL, someone had to go there (it was very close :) ) to update things. The only connection to the outside world was the web servers, and they had access solely to locked-down services that in turn solely had access to the parts of the DB that they needed to read from.

    Layers of security like this mean that if you get your web site hacked (as happens, frequently) the attacker cannot do much damage. They must hack the services layer as well (which means attacking the OS they run on, through a very narrow firewall) and even then they would have to hack the OS security to gain access to a limited section of data. They'd have to further hack the DB to get access to all the data.

    So no-one could ever realistically dump the entire user table in that system. Why anyone lets websites do less is a mystery to me.

    Note: Even so-called "security editors" fall intot he camp of thinking layered security is not necessary. In this ArsTechnica story, the 'promoted comment' describes a riposte where the poster says the web server needs a direct connection to the web server!!! I can understand some junior web dev thinking it, I can't imagine anyone who knows security taking it seriously, yet many did. This is why we have breach after breach.

  3. Most big businesses are staffed by idiots... by Anonymous Coward · · Score: 5, Informative

    ...but run by excellent salespeople.

    Capitalism is 90% salesmanship.