A critical bug on eBay’s website opened the door for malicious hackers to create fake login pages to steal passwords and harvest credentials.
An independent security researcher found the flaw in early December, and reported it to eBay on December 11. After an initial response asking for more information the following day, eBay stopped responding to the researcher’s emails, and didn’t patch the bug until after Motherboard contacted the company asking about it last week.
The researcher, who goes by the name MLT, said anyone could have taken advantage of the bug to target individual eBay users and take over their accounts, or harvest thousands, if not millions, of users credentials by sending phishing carefully crafted emails to eBay users.
MLT demonstrated to me how the flaw worked last week, and he published a blog post about it on Monday. For the demo, MLT included a link to a phishing page within eBay’s regular URL, making it look like the fake login page was actually hosted on eBay. The page looked pretty much exactly like eBay’s real login page, except for the URL.
When I typed my username and password on the spoofed site and hit sign in, the page gave me an error, but in the meantime, MLT snatched my credentials. He was able to create the spoofed page thanks to what’s technically known as a cross-site scripting vulnerability. (MLT also demonstrated the flaw in a YouTube video.)
This is a common web bug, also known as XSS, which attackers can exploit to inject malicious code into a website. Several websites in the past have been hit with XSS vulnerabilities. Perhaps the most well-known case of XSS is when a teenage Samy Kamkar, now a well-known security researcher, was able to trick one million MySpace users into becoming his friend thanks to a self-replicating worm that took advantage of an XSS bug on the social network. That incident, which put Kamkar in the law’s cross hairs, changed the internet forever, forcing sites to take XSS bugs seriously.
eBay itself was found to have a dangerous XSS vulnerability on its site last year, and it took the company a year to fix it.
“It’s 2016, we have many technologies in place to prevent XSS.”
“They don’t really have any excuse for their MAIN DOMAIN being vuln to XSS,” MLT told me during an encrypted online chat. “It’s 2016, we have many technologies in place to prevent XSS. [...] Many sites have had xss vulns in the past, Facebook.com for example, but finding an XSS on Facebook now would be an extremely hard task because they have all the right security measures in place. [I don’t know] why eBay can’t do the same.”
A security analyst said that the XSS but that MLT found was “sophisticated and clever.” Ilia Kolochenko, another security expert who’s the CEO and founder of High-Tech Bridge, said that it’s not surprising that web applications are still vulnerable to XSS bugs, and in fact there’s a whole website dedicated to listing vulnerable sites.
Ryan Moore, a spokesperson for eBay, said last week that the company is “committed to providing a safe and secure marketplace for our millions of customers around the world,” and that they were working “quickly” to fix them. Moore explained that there was “a bit of miscommunication” because MLT “followed up on his initial bug report with “a different email alias.”
On Monday, MLT told Motherboard that the bug was patched, according to his tests. Later, eBay confirmed to Motherboard that the flaw was fixed, and that eBay would acknowledge MLT's bug report on the site's page dedicated to thanking friendly hackers who report issues on the site.
It doesn’t appear that anyone exploited this flaw in the open, although it’s possible that someone else other than MLT found the bug and used it for malicious purposes. As a user, this is a good reminder to always be mindful of clicking links emails, and to always check the URL you’re visiting, if there’s something weird on it, it’s likely a scam.
This post was updated after eBay confirmed that the bug was patched.