eBay security flaw 'put users at risk of phishing attack'

“Fairly basic” vulnerability could be exploited to steal login details from millions, says security researcher

eBay sign

A security flaw found on eBay's website put millions of its customers at risk of having their confidential login details stolen.

The phishing attack potentially enabled hackers to set up fake login pages tied to the ebay.com domain, which could dupe users into giving away their username and password, according to an independent security researcher known as MLT, who told eBay last month about the flaw.

MLT said the vulnerability, which he described as "fairly basic" for those with the technical know-how, presented a huge risk to millions of eBay users.

URL links could be embedded within malicious emails to unknowing customers, who could then find their accounts hacked and used to scam other users.

The researcher shared a blog post exposing the flaw on Monday to demonstrate how easy it would be for a hacker to exploit unwitting customers.

The source of the flaw lies in the URL destination, and a common web bug, known as a cross-site scripting (XSS) vulnerability, which allows an attacker to insert malicious code into a legitimate website.

MLT demonstrated setting up a fake eBay login page, which looks just like the real thing, and is anchored to the master domain (ebay.com).

After setting up the fake page, MLT typed in his username and password on the spoof site and attempted to sign in. It gave him an error message. However, the spoof page had also automatically exported the details he had entered as plaintext to a location he had previously specified.

MLT submitted his finds to eBay on 11 December 2015. He said in his post that he did not get a follow-up from the company, until it began receiving media enquires.

eBay has confirmed to IT Pro that it has patched this specific vulnerability as of 11 January 2016. As to why it took so long, the company put it down to "miscommunication" with the researcher.

An eBay spokesman told IT Pro: "As a company, we're committed to providing a safe and secure marketplace for our millions of customers around the world.

"We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure. We're aware of this particular issue, which involves fraudsters attempting to phish customers using malicious code in very limited use cases. This type of scheme is extremely rare on our platform.

"We're continuously adapting our security systems as we become aware of new forms of malicious code, as well as taking the necessary steps to prevent such phishing attempts. We maintain a responsible disclosure program for eBay where we partner with researchers to address these issues."

This article was originally published on 12 January 2016 at 13:18. It was updated later that day at 16:10 to include eBay's comment.

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Recommended

Phishing attacks surge ahead of Black Friday and Cyber Monday
Security

Phishing attacks surge ahead of Black Friday and Cyber Monday

17 Nov 2020
Wisconsin Republican Party allegedly loses $2.3 million to hackers
hacking

Wisconsin Republican Party allegedly loses $2.3 million to hackers

30 Oct 2020
What is hacktivism?
hacking

What is hacktivism?

13 Oct 2020
Microsoft: Iranian hackers are exploiting ZeroLogon flaw
Security

Microsoft: Iranian hackers are exploiting ZeroLogon flaw

6 Oct 2020

Most Popular

80% of cyber professionals say the Computer Misuse Act is working against them
Security

80% of cyber professionals say the Computer Misuse Act is working against them

20 Nov 2020
Cisco acquires container security startup Banzai Cloud
Security

Cisco acquires container security startup Banzai Cloud

18 Nov 2020
Weekly threat roundup: Cisco, BlueKeep, Apache Unomi
Security

Weekly threat roundup: Cisco, BlueKeep, Apache Unomi

19 Nov 2020