eBay XSS bug left users vulnerable to (almost) undetectable phishing attacks

It’s the same old familiar, cheery red-blue-yellow-green sans serif logo at the top of an eBay login page that we know so well.

The URL even starts with ebay.com.

But if you were to input your email and eBay password, it would have returned an error message, while your login information could have been harvested by malicious hackers who might have then had free rein to wreck havoc in your hijacked account.

Fortunately, as of Monday, eBay had patched the XSS (Cross-Site Scripting) vulnerability that hackers could have used to inject parasitic code into its sign-in page.

As Motherboard reports, a researcher, who goes by the name MLT, found the flaw in early December and reported it to eBay on December 11.

On Monday, MLT published a post explaining how he pulled off the XSS and lambasting eBay’s apparently lackadaisical response to his report.

Its title: “A tale of eBay XSS and shoddy incident response.”

It might have been nothing more than a mixup: Ryan Moore, an eBay spokesperson, last week told Motherboard that there’d been “a bit of miscommunication” because MLT followed up on his initial bug report with “a different email alias.”

At any rate, MLT explained his exploit in Monday’s post and demonstrated it in a video.

The eBay sign-in page includes a url parameter in its address and the contents of that parameter are written in to the page before it’s shown to the user.

Unfortunately the page didn’t check what was in the url parameter before including it in the page so MLT was able to use it include his own code alongside eBay’s.

The flaw didn’t allow the page to be modified permanently but it could have been used as a trap for harvesting eBay users’ credentials by any attacker who could trick them in to clicking on spiked links.

XSS bugs are one of the most common web vulnerabilities and they are, frankly, easy to stop.

Flaws like the one found by MLT represent a significant threat because they can be used to create invisible phishing attacks  that actually turn vigilant users’ techniques for spotting phishing sites against them.

Naked Security has written about them quite a bit. We gave an explanation of how they work in February 2015, when Internet Explorer was discovered to have an XSS zero day.

eBay’s Moore told the publication that the company is “committed to providing a safe and secure marketplace for our millions of customers around the world,” and that it was working “quickly” to fix bugs.

This isn’t the first time that eBay’s had an XSS bug hanging around and getting a bit ripe.

In April 2015, researcher Jaanus Kääp found that a bug he’d reported to eBay over a year earlier was still a problem, and it was a serious one: the XSS bug could allow an attacker to carry out an XSS attack over eBay’s internal messaging system by catching and tweaking a request, as he explained in a post on his blog.

He was surprised: it had struck him as a pretty simple issue to fix.

eBay fixed that one in September.

An attack exploiting this XSS vulnerability would have been incredibly difficult for most eBay users to spot – seeing it would have required careful reading of the entire URL and enough technical knowledge to know what javascript looks like any why it shouldn’t have been there.

The safest way to deal with links in emails is not to click on them. If an email prompts you to visit a website try typing the plain vanilla address, like eBay.com, into a new window that you’ve opened yourself.

Image of password fishing courtesy of Shutterstock.com