Slashdot Mirror

← Back to Stories (view on slashdot.org)

eBay Redirect Attack Puts Buyers' Credentials At Risk

Posted by samzenpus on from the steal-it-now dept.

mrspoonsi points out this BBC story about an eBay breach that was directing users to a spoof site. "eBay has been compromised so that people who clicked on some of its links were automatically diverted to a site designed to steal their credentials. The spoof site had been set up to look like the online marketplace's welcome page. The firm was alerted to the hack on Wednesday night but removed the listings only after a follow-up call from the BBC more than 12 hours later. One security expert said he was surprised by the length of time taken. 'EBay is a large company and it should have a 24/7 response team to deal with this — and this case is unambiguously bad,' said Dr Steven Murdoch from University College London's Information Security Research Group. The security researcher was able to analyze the listing involved before eBay removed it. He said that the technique used was known as a cross-site scripting (XSS) attack."

7 of 37 comments (clear)

  1. NoScript by olsmeister · · Score: 5, Informative

    NoScript can help prevent XSS attacks. Use it.

    1. Re:NoScript by Ichijo · · Score: 4, Insightful

      It would be much easier to use NoScript if web sites stopped requiring JavaScript or at least stopped using scripts hosted on other web sites.

      --
      Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
    2. Re:NoScript by Anonymous Coward · · Score: 3, Insightful

      We used to make fun of people who talked about "programming web pages". Nowadays they're right. Almost no big site is usable without Javascript. Not because there's anything on them that couldn't be done without Javascript, but because even the most trivial interactions are implemented in a way which requires Javascript. It's not uncommon for web sites to load scripts from more than a dozen external domains, and some of those scripts load more data from further external domains. And those aren't always nice, recognizable domains: Some are essentially random subdomains under cloud hoster domains. There is no way a normal user could make sense of the tangle and decide which scripts to allow and which to refuse. The web has turned into a horribly fragile API for remote code execution. I hesitate to call anything in this environment an exploit.

      The web is in desperate need of a more restrictive standard akin to PDF/A, one which is entirely declarative and in which all parts of a web page must come from the same domain. Then browsers could be told to only accept HTML/A for particular domains. It should be marketed as something that people need to look for, like the lock for SSL sites, when they need security.

    3. Re:NoScript by BronsCon · · Score: 3, Informative

      I'm not sure about Amazon or eBay, but I know my company does it due to how DNS works. Our CDN wants control over the DNS for the domain we use for them, so they can serve static content from the closest possible location. That doesn't jive with our application, as we need control over DNS for the many domains we also host, so the solution was a dedicated domain for CDN use.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    4. Re:NoScript by OSS542 · · Score: 3, Informative

      It is possible in NoScript to allow scripts. It will still provide protection from cross-scripting techniques.

  2. There was no hack by MobyDisk · · Score: 5, Informative

    The article is completely overblowing this, borderling lying. Ebay was not hacked. The BBC should be ashamed and take the article down:

    EBay has been compromised so that people who clicked on some of its links were automatically diverted to a site designed to steal their credentials.

    But the image caption says the truth:

    A listing for an iPhone 5S contained code that resulted in users being sent to a scam site

    Those are *completely* different issues. A link is not a hack! The article goes on to make up more garbage:

    He [the security researcher] said that the technique used was known as a cross-site scripting (XSS) attack. It involved the attackers placing malicious Javascript code within product listing pages.

    Posting a link is not an XSS attack. And a link is not the same as Javascript.

    The article says "a security researcher" but they never say the persons name or credentials. I bet there was no researcher. It sounds more like a friend of one of the reporters saw this scam link, Googled some search terms and came-up with "XSS" then suddenly became a security researcher.

  3. Yes there was by dutchwhizzman · · Score: 4, Insightful

    Although a vulnerability to XSS isn't directly a hack of eBay, it *is* a hack of everyone visiting that page. *Every* visitor would be redirected to the malicious page automatically and their credentials would be stolen there if the user would re-enter them. Since eBay left their website vulnerable to this sort of malicious automatic redirect, abusing this vulnerability to place malicious code on eBay's website is technically a hack.

    --
    I was promised a flying car. Where is my flying car?