Slashdot Mirror

← Back to Stories (view on slashdot.org)

eBay Redirect Attack Puts Buyers' Credentials At Risk

Posted by samzenpus on from the steal-it-now dept.

mrspoonsi points out this BBC story about an eBay breach that was directing users to a spoof site. "eBay has been compromised so that people who clicked on some of its links were automatically diverted to a site designed to steal their credentials. The spoof site had been set up to look like the online marketplace's welcome page. The firm was alerted to the hack on Wednesday night but removed the listings only after a follow-up call from the BBC more than 12 hours later. One security expert said he was surprised by the length of time taken. 'EBay is a large company and it should have a 24/7 response team to deal with this — and this case is unambiguously bad,' said Dr Steven Murdoch from University College London's Information Security Research Group. The security researcher was able to analyze the listing involved before eBay removed it. He said that the technique used was known as a cross-site scripting (XSS) attack."

37 comments

  1. Shiggity by Anonymous Coward · · Score: 0

    2014:
    Still using eBay

    I seriously hope you guys don't do this.

  2. NoScript by olsmeister · · Score: 5, Informative

    NoScript can help prevent XSS attacks. Use it.

    1. Re:NoScript by Ichijo · · Score: 4, Insightful

      It would be much easier to use NoScript if web sites stopped requiring JavaScript or at least stopped using scripts hosted on other web sites.

      --
      Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
    2. Re:NoScript by nickittynickname · · Score: 1

      I have problems all the time with the ebay site. A lot of there javascript is broken anyways. (I'll click on place bid an nothing happens.) You would probably end up with a better experience. Although I do use greese/tamper monkey to get the price of shipping to show on the listing.

    3. Re:NoScript by Anonymous Coward · · Score: 3, Insightful

      We used to make fun of people who talked about "programming web pages". Nowadays they're right. Almost no big site is usable without Javascript. Not because there's anything on them that couldn't be done without Javascript, but because even the most trivial interactions are implemented in a way which requires Javascript. It's not uncommon for web sites to load scripts from more than a dozen external domains, and some of those scripts load more data from further external domains. And those aren't always nice, recognizable domains: Some are essentially random subdomains under cloud hoster domains. There is no way a normal user could make sense of the tangle and decide which scripts to allow and which to refuse. The web has turned into a horribly fragile API for remote code execution. I hesitate to call anything in this environment an exploit.

      The web is in desperate need of a more restrictive standard akin to PDF/A, one which is entirely declarative and in which all parts of a web page must come from the same domain. Then browsers could be told to only accept HTML/A for particular domains. It should be marketed as something that people need to look for, like the lock for SSL sites, when they need security.

    4. Re:NoScript by tlhIngan · · Score: 2

      It would be much easier to use NoScript if web sites stopped requiring JavaScript or at least stopped using scripts hosted on other web sites.

      And stopped hosting content on their own websites on other domains.

      I mean, is there a real advantage that amazon's images are hosted on amazon-images.com rather than amazon.com? Or static eBay stuff on ebaystatic.com ? (And nevermind Google's 1e100.net).

      Is there some distinct advantage, or is it a case of "IT won't get us what we need, so we set up an alternate website on our own dime" ?

      I mean, amazon-images.com vs. images.amazon.com, or ebaystatic.com vs. static.ebay.com ? I know domains are basically free, but still...

    5. Re:NoScript by BronsCon · · Score: 3, Informative

      I'm not sure about Amazon or eBay, but I know my company does it due to how DNS works. Our CDN wants control over the DNS for the domain we use for them, so they can serve static content from the closest possible location. That doesn't jive with our application, as we need control over DNS for the many domains we also host, so the solution was a dedicated domain for CDN use.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    6. Re:NoScript by Anonymous Coward · · Score: 1

      Someone (probably a Google guy, everybody does what they recommend) decided that cookies are such a burden that you must avoid sending them with requests for images and other resources. Cookies are sent with each HTTP request to the domain or one of its subdomains, hence the need to cut of the cookies by using a domain outside the main domain of the site. There may be ancillary benefits, like increasing the number of concurrent connections and moving less important resources out of the queue for the main server, so that important parts of the page load earlier.

      This may all look reasonable to you, and technically it is. But at some point the web authors must have lost the plot, because if anything slows down the page its the barrage of scripts they're including, not a few cookies.

    7. Re:NoScript by OSS542 · · Score: 3, Informative

      It is possible in NoScript to allow scripts. It will still provide protection from cross-scripting techniques.

    8. Re:NoScript by Anonymous Coward · · Score: 0

      That doesn't explain the use of a separate second-level domain. You could delegate a subdomain (third-level) of your normal domain to the CDN.

    9. Re:NoScript by cheater512 · · Score: 2

      Yes there is a distinct advantage.

      A) They are cookieless domains, which has a pile of benefits for static content
      B) They are usually CDN's which have obvious benefits.

    10. Re:NoScript by Alioth · · Score: 1

      Why not delegate them a third level domain? Your stuff on example.com, give your CDN control of cdn.example.com.

      --
      Oolite: Elite-like game. For Mac, Linux and Windows
    11. Re:NoScript by JimDarkmagic · · Score: 1

      I've heard there is security advantage to this from the TWiT.tv show Security Now. Sites with user-supplied content can host user-supplied content on separate domains to prevent some types of attacks. More specifically, I believe it limits certain types of attacks from malicious scripts using "Same-origin" policy - the browser limits what content from foreign domains can accomplish with content on the domain listed in the address bar

    12. Re:NoScript by Anonymous Coward · · Score: 0

      Sounds like a broken browser (or extension) more than a broken website.

    13. Re:NoScript by Anonymous Coward · · Score: 0

      Why not delegate them a third level domain? Your stuff on example.com, give your CDN control of cdn.example.com.

      I don't believe this would change anything in this case. If the third level domain differs then it's still cross-domain and browsers treat it as such.

    14. Re:NoScript by Anonymous Coward · · Score: 0

      The point is that you can easily tell NoScript to allow scripts from "example.com", which by default also allows scripts from "cdn.example.com" and "moredots.cdn.example.com".

    15. Re:NoScript by BronsCon · · Score: 2

      You know, I'll be completely honest and say I didn't know that was possible. A bit of research later and I see that it's actually pretty easy. I'll gt in touch with our CDN provider and see if they support it, since it'll be quite useful for our next platform release.

      Thanks for letting me know about that!

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    16. Re:NoScript by Anonymous Coward · · Score: 0

      It would be much easier to use NoScript if web sites stopped requiring JavaScript or at least stopped using scripts hosted on other web sites.

      And stopped hosting content on their own websites on other domains.

      I mean, is there a real advantage that amazon's images are hosted on amazon-images.com rather than amazon.com? Or static eBay stuff on ebaystatic.com ? (And nevermind Google's 1e100.net).

      Is there some distinct advantage, or is it a case of "IT won't get us what we need, so we set up an alternate website on our own dime" ?

      I mean, amazon-images.com vs. images.amazon.com, or ebaystatic.com vs. static.ebay.com ? I know domains are basically free, but still...

      The benefit to hosting images on a different domain is only really there when you run a site as large as amazon or ebay. The benefit is that each domain has its own separate set of cookies. The cookies can be disabled on a CDN domain, and you save on that bandwidth every request, which can be numerous with a site like amazon. Imagine if you have several million users visit your page daily. That means each image load, each time dynamic content loads, you're sending almost 2k just in the cookie per request to Amazon, which adds up to many extra terabytes of data being transmitted to your server every month.

  3. So what you're saying... by dgatwood · · Score: 1

    ...is that our selfies are safer.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  4. Dumb by Anonymous Coward · · Score: 0

    Bad form. We all make mistakes but try not to make obvious ones.

  5. hack???? by Anonymous Coward · · Score: 2, Informative

    there was no hack. you're all idiots.

    posting a link on a site designed to let you place links on, and a moron giving their credentials to someone else is not a hack.

    slashdot = stagnated

    1. Re:hack???? by squiggleslash · · Score: 1

      I think the number of people on Slashdot, a relatively technically edumicated audience, who think this is about someone putting a link on an auction page, and not about an automatic redirect when you visited an auction page, makes it fairly obvious why it took eBay 12 hours to respond.

      --
      You are not alone. This is not normal. None of this is normal.
  6. Yet another reason to use NoScript by neo-mkrey · · Score: 1

    There are no excuses, unless you are a Luddite or an ignoramus.

  7. meh by Anonymous Coward · · Score: 0

    Ebay fired or scared off most of their old, large, security team, years ago. I've not been lead to believe they've built a new one, as they kept it skeleton for years..

  8. There was no hack by MobyDisk · · Score: 5, Informative

    The article is completely overblowing this, borderling lying. Ebay was not hacked. The BBC should be ashamed and take the article down:

    EBay has been compromised so that people who clicked on some of its links were automatically diverted to a site designed to steal their credentials.

    But the image caption says the truth:

    A listing for an iPhone 5S contained code that resulted in users being sent to a scam site

    Those are *completely* different issues. A link is not a hack! The article goes on to make up more garbage:

    He [the security researcher] said that the technique used was known as a cross-site scripting (XSS) attack. It involved the attackers placing malicious Javascript code within product listing pages.

    Posting a link is not an XSS attack. And a link is not the same as Javascript.

    The article says "a security researcher" but they never say the persons name or credentials. I bet there was no researcher. It sounds more like a friend of one of the reporters saw this scam link, Googled some search terms and came-up with "XSS" then suddenly became a security researcher.

    1. Re:There was no hack by Enry · · Score: 1

      It sounds more like a friend of one of the reporters saw this scam link, Googled some search terms and came-up with "XSS" then suddenly became a security researcher.

      Sounds like the security researchers I know.

    2. Re:There was no hack by Anonymous Coward · · Score: 1

      Agree it was not a hack, but it was indeed an XSS attack. Watch the video. (https://www.youtube.com/watch?v=WT5TG_LvZz4). It is your assumption of the articles use of the work link(in this case they could replace it with listing) that is wrong.

    3. Re:There was no hack by AmiMoJo · · Score: 1

      EBay filters the HTML you can use in a listing. The idea is to prevent people doing exactly this, or say using JavaScript to change the description from "working" to "spares and repairs" after it finishes. The hack was finding a way to get around the filter and put this code on the page.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:There was no hack by Anonymous Coward · · Score: 0

      Very likely DOM XSS, so largely rendered in the client. I slowed the video down to frame-by-frame. If an example of the attack written-up, definitely a hack around eBay defenses. Could be easily staged, but appears the source javascript was embedded in the first listing then moved to a sink that triggered upon the next browser click. Notice use of back button on browser in lieu of click-through. Hard to say for certain what took place without seeing the code.

  9. Yes there was by dutchwhizzman · · Score: 4, Insightful

    Although a vulnerability to XSS isn't directly a hack of eBay, it *is* a hack of everyone visiting that page. *Every* visitor would be redirected to the malicious page automatically and their credentials would be stolen there if the user would re-enter them. Since eBay left their website vulnerable to this sort of malicious automatic redirect, abusing this vulnerability to place malicious code on eBay's website is technically a hack.

    --
    I was promised a flying car. Where is my flying car?
  10. Arbitrary JS in listings! What could go wrong? by jeffb+(2.718) · · Score: 2

    I remember yelling and waving my arms at some length years ago when I discovered that you could put arbitrary JavaScript into your auction descriptions. Sure, it lets you have cool expanding images and whatnot -- but I can't imagine securing it against attacks that do something like this, or attach event handlers to the controls in the eBay-served sections of the page, or any number of other nefarious things. Everybody told me to calm down and shut up at the time, and my posts on eBay's discussion forum disappeared pretty quickly.

    I'm only surprised that it's taken this long for an attack to get even this minimal degree of coverage. (I was going to say "I'm surprised it took this long for someone to implement an attack", but I have no reason to believe that this is the first one.)

  11. Re: eBay dismissed 90% of their security teams by Anonymous Coward · · Score: 0

    Best yet it was a constructive dismissal. All who knew the nooks and crannies...the bad, ugly and unethical/illegal were pushed out.

  12. gfhdfghdfgh by MrL0G1C · · Score: 2

    BBC:

    EBay has been compromised so that people who clicked on some of its links were automatically diverted to a site

    Are you fucking kidding me, the BBC 'journalist' is a moron, links take people to other pages, what the fuck did you think they do mr "Leo Kelion Technology desk editor"?

    --
    Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
  13. Link your PayPal account and see what happens by franblets · · Score: 1

    This is just exactly what was bound to happen after the push to link the EBay/PayPal accounts. I have a PayPal two factor token; EBay asks me to link them and then the two factor authentication was rendered useless. I broke the link. EBay needs to get a grip.