Forgot your password?
typodupeerror
Businesses Security

Severe Vulnerability At eBay's Website 60

Posted by timothy
from the going-once-going-twice dept.
New submitter Golem.de (3664475) writes with another security problem at eBay: "The German security expert Micheal E. discovered the persistent cross-site scripting vulnerability on eBay's website about two months ago and said he reported it to Ebay immediately. Ebay ceased to answer his emails, after writing that they considered it a mostly harmless error. Micheal E. sent Golem.de a PoC demonstrating that the error that has not yet been fixed. An attacker can manipulate an official auctioning web page and insert Javascript code. By visiting the malicious web page the code is executed by the victim and could potentially be used by the attacker to to execute arbitrary actions in the victim's Ebay account and gain full control over it. There is probably no connection to the huge database theft reported a few days ago. The XSS flaw can only be used to attack one victim at a time."
This discussion has been archived. No new comments can be posted.

Severe Vulnerability At eBay's Website

Comments Filter:
  • by Anonymous Coward on Saturday May 24, 2014 @09:47AM (#47082715)

    Well if eBay doesn't want his exploit, perhaps he should auction it off to the highest bidder... isn't there a site for that?

  • by sjbe (173966) on Saturday May 24, 2014 @09:51AM (#47082725)

    Ebay ceased to answer his emails, after writing that they considered it a mostly harmless error. Micheal E. sent Golem.de a PoC demonstrating that the error that has not yet been fixed.

    I used to make my living selling stuff on eBay some years ago. This sounds like par for the course when it comes to eBay's coding competence. We developed some custom software to handle our listings and other activities and to say eBay's code was poor was a gross understatement. Their security procedures were haphazard and arbitrary and they didn't seem to care much. Maybe they've gotten better in the last 7 years but based on what I'm reading lately it seems not so much.

    • by Lisias (447563)

      There's nothing so bad that could not be worse.

      eBay is going to Brazil. Guess what? I'm happy.

      Our currently "best" auction site, Mercado Livre, is so broke that sometimes I speculate if these guys are operating in bad faith (I know for sure that they would had be sued if they operated in USA).

      • Second on that. "Mercado Livre" is pure shit. As example, if you look closely at the page for registering complaints you will realize that they only care about situations which can harm their profits, you can not even complain about other situations.
    • by Anonymous Coward

      Right, because ebay is not a software development company. They *also* need software to facilitate their core business. So, code quality just isn't to them what it would be to someone else.

      Further, as I understand, legally ebay is also not an auction house. Thus, they are not beholden to regulations intended to protect their end-users. This further reduces their incentive to invest in security.

      The "just get it working" battle cry is all too common. So long as nothing bad has happened yet...and the cash

  • employee (Score:5, Insightful)

    by gbjbaanb (229885) on Saturday May 24, 2014 @09:53AM (#47082727)

    I heard the problem at eBay was that an employee's login had been compromised (via social engineering apparently, but we might never know).
    Regardless of how that happened, that an employee was able to login from a remote location shows the sad state of affairs of security today.

    When I worked at a credit reference agency, security was top priority - as if you lost someone else's data (eg a banks) then said bank would withdraw your access to their data, and that meant you couldn't continue to do business.

    So we had the production servers in a datacentre that were physically disconnected to the internet. You wanted to update your SQL, someone had to go there (it was very close :) ) to update things. The only connection to the outside world was the web servers, and they had access solely to locked-down services that in turn solely had access to the parts of the DB that they needed to read from.

    Layers of security like this mean that if you get your web site hacked (as happens, frequently) the attacker cannot do much damage. They must hack the services layer as well (which means attacking the OS they run on, through a very narrow firewall) and even then they would have to hack the OS security to gain access to a limited section of data. They'd have to further hack the DB to get access to all the data.

    So no-one could ever realistically dump the entire user table in that system. Why anyone lets websites do less is a mystery to me.

    Note: Even so-called "security editors" fall intot he camp of thinking layered security is not necessary. In this ArsTechnica story [arstechnica.com], the 'promoted comment' describes a riposte where the poster says the web server needs a direct connection to the web server!!! I can understand some junior web dev thinking it, I can't imagine anyone who knows security taking it seriously, yet many did. This is why we have breach after breach.

    • by Anonymous Coward

      Don't be too proud of yourself.

      I went to a Defcon presentation showing a website that used REST services. With the REST services they were able to run any command they wanted to on the DB backend, through the firewall without compromising the OS or showing the web server doing anything strange. They backed up the DB and sent it to themselves with the default REST calls Java provided. It was actually that bad of a security hole, but required Java REST services providing the web pages.

      A week later at my wo

    • by richlv (778496)

      "web server needs a direct connection to the web server" - i assume you meant "database server" in the last one.

      so how do you code a website like ebay without accessing the database ? what's the point of disconnected servers - do you get somebody manually bringing requests to/from the webservers ? that would make search rather slow...

      • Why do you say "the" database? They at the very least need 2 already. IMO payment data and logins need to be behind narrow firewalls with very limited pure socket (ie. not database) interfaces to the outside (why open yourself up to flaws in the database interfaces when you only need trivial queries?). Might as well split those up into two while you're at it.

        • by richlv (778496)

          true, but parent said "So we had the production servers in a datacentre that were physically disconnected to the internet." - how should that work for products that do not do massive offline data crunching, i do not know...

      • You actually should have your web "site" running in a DMZ with no connections other than back to your service layer. It is this layer in on a different LAN that has access to and DBs (ideally just enough, but in practice often to the entire DB) and other resources. The services can only perform operations intended to be used by the site, so unless there's a "give me a list of all users" requirement, it's not going to happen.

        So in a way, yes, there is a request to & from web servers but it's softwar
        • by richlv (778496)

          sure. but how do you have backend servers "physically disconnected to the internet." ?

          that seems to be either an ignorant claim, or a flamebait :)

    • by tlhIngan (30335)

      I heard the problem at eBay was that an employee's login had been compromised (via social engineering apparently, but we might never know).
      Regardless of how that happened, that an employee was able to login from a remote location shows the sad state of affairs of security today.

      You know of things like "teleworking" or "telecommuting" right? And some companies, especially technology ones, tend to have a LOT of people who do that. Heck, they may not even live in the same COUNTRY as the company. In fact, most

      • Give each employee who teleworks a dedicated computer with hardware VLAN which he is only allowed to use on that VLAN (ie. no USB ports, no internet, no nothing ... if he wants to copy/paste something to it from another source sysadmins have to get involved).

        It's the only reasonable way to allow telework on systems like this ... if you want to BYOD for that you should be redirected to the unemployment office.

        • Oh come on, there are plenty of perfectly reasonable compromises you can make there. For example, require that the user have an additional authentication factor for remote login. TOTP (things like Google Authenticator) is popular, but (physical) smart cards are more secure.

          Make it so that remote login can only be performed from a machine which has a client certificate on it that is tied to the user in question. There are a range of ways to do this, of varying degrees of usability vs. security/paranoia. Putt

          • Why steal all that shit when they can just own your computer with some zero day and wait for you to go to the bathroom?

    • eBay slipped on this one because they detected the compromised account as merely a misuse of employee web privileges, a minor sort of issue perhaps to be mentioned by said employee's manager at their next review. Nobody noticed the scope of the issue until much later.

      Anyway, remote employees are the rule everywhere these days. They're either the boss working from home or minions unworthy to have a company desk, or all the jobs that have been outsourced.

      The plenty of projects going on these days where not

  • by Anonymous Coward on Saturday May 24, 2014 @09:58AM (#47082741)

    ...but run by excellent salespeople.

    Capitalism is 90% salesmanship.

  • by tero (39203)

    So how about a write-up in English Mr. Golem?

  • Fuck ePay (Score:5, Informative)

    by ArchieBunker (132337) on Saturday May 24, 2014 @10:21AM (#47082807) Homepage

    ePay is so hostile for anyone selling casually its no longer worth your time. Paypal now holds onto your funds for weeks if you haven't sold anything recently and your feedback score or number of auctions makes no difference. No matter what small item is sold everyone complains. As a seller you'll automatically lose any complaint filed against you. People overpay for items and then complain something is wrong and then pick arbitrary partial refund values. The auction fees themselves have gotten ridiculous, over 10% on small items. As a buyer you won't find any auction deals. That time has long past. Now its mostly a marketplace for Chinese storefronts.

    Why can't someone come up with an alternative? Google has a payment system up and running so why can't they make a competitor?

    • Google's payment system only work in a handful of countries. PayPal works almost everywhere on the planet.

    • Google has a payment system up and running so why can't they make a competitor?

      Because Google is an advertising company, eBay's profit margins are half of Google's, and Google has no realistic chance at taking over eBay's business anyway short of buying them outright. EBay is a great example of the power of the networking effect. They aren't particularly good at technology but they have the network effect working for them big time. It's the place with the most sellers and the most buyers so it is REALLY hard to displace them because anywhere else you aren't as likely to get a sale

    • by nabsltd (1313397)

      Paypal now holds onto your funds for weeks if you haven't sold anything recently and your feedback score or number of auctions makes no difference.

      There must be something that makes a difference, as I hadn't sold anything in years, but recently sold over $1000 of server hardware and the money was available to me immediately. I have perfect feedback, and used to sell a lot, when eBay was mostly private individuals.

      As a buyer you won't find any auction deals.

      I still buy sometimes, if I know exactly what I want (searching without the right keywords can lead to lots of useless results). I have found some great deals, again mostly on server hardware, but often on "accessories" for other items that a

      • by thegarbz (1787294)

        There must be something that makes a difference, as I hadn't sold anything in years, but recently sold over $1000 of server hardware and the money was available to me immediately.

        There is a difference. When they rolled the 24 sided die your number was the lucky number 7. The other 23 people are still waiting for their funds to be freed up.

        Joking aside I see absolutely zero pattern. I've bought and sold without problem. I've received refunds and filed complaints without problem. Then randomly one day I get a refund for $30 because the seller didn't actually have in stock the item he was selling and Paypal holds my funds for 30 days with no offer for recourse. It wasn't even a case of

    • by tlhIngan (30335)

      ePay is so hostile for anyone selling casually its no longer worth your time. Paypal now holds onto your funds for weeks if you haven't sold anything recently and your feedback score or number of auctions makes no difference. No matter what small item is sold everyone complains. As a seller you'll automatically lose any complaint filed against you. People overpay for items and then complain something is wrong and then pick arbitrary partial refund values. The auction fees themselves have gotten ridiculous,

      • That and the fact that governments actually do not like the idea of having people transferring money to each other through a system like Paypal, where they do not have the same control they have when payments are made by traditional means. Especially in my country where the government would prefer that the citizens would be prohibited from buying overseas.
        • by mpe (36238)
          That and the fact that governments actually do not like the idea of having people transferring money to each other through a system like Paypal, where they do not have the same control they have when payments are made by traditional means. Especially in my country where the government would prefer that the citizens would be prohibited from buying overseas.

          If you qualify this as "buying certain things overseas" that covers the vast majority of governments. Also transnational businesses also tend to want to
          • Nothing illegal. Mundane things like computer equipment, some clothes, cars, and other items that are much cheaper abroad than in my country. (here you ALWAYS pay twice what a car is worth). But as you know, globalization only applies to businesses, to consumers what happens is feudalism.
    • ePay is so hostile for anyone selling casually its no longer worth your time.

      All fascinating since I've been selling small lots since forever, and those problems are not common at all. I guess you must just be completely cursed.

    • by Aighearach (97333)

      I recommend craigslist + amazon payments

    • And let's not forget the fact that you can't leave negative feedback for a shitty buyer anymore. Or get a negative feedback rescinded. I have a negative on my seller account from a buyer who didn't like the size of the address label I put on the shipping box, a negative which eBay refused to remove.

      A few years back I had a package returned unopened. Emailed the buyer to see what happened (thinking maybe I had the address wrong). No reply. Kept sending emails, about three weeks later I finally get a response

  • by newfurniturey (3524449) on Saturday May 24, 2014 @10:49AM (#47082879)

    The linked article has zero information regarding this attack and instead focuses on eBay's attack history; once more, it also links to it's own eBay page so +1 for that.

    The one hint it does include is a picture [golem.de] and in the picture you can see that the JavaScript is being inserted into the title of the listing (not sure if that's the actual vulnerability or not though). However, as a security researcher, showing a PoC against a large company requires more than a simple alert(1) and instead should use something such as alert(document.domain). The reason for document.domain is because it will show what hostname the JavaScript is executing under - which means everything when it comes to security.

    If this is really an XSS hole and eBay comes back with "it's not that bad", there's a good chance that the JavaScript is executing in an iframe on a separate domain which means attackers would not have important access such as a user's cookies / etc. Instead, they'll only be able to execute arbitrary JavaScript (which is bad, but nothing worse than setting up a bad domain and using SEO tricks to drive traffic to it).

    Can anyone find a more relevant article that spills out the actual details of this, or maybe one that includes the actual PoC this researcher has created?

  • I wonder, apart from the AGM, and the furious bailing required to keep the rusting old scow afloat, what else has been going on at eBay between February and May? Then, we have to appreciate that there is little intelligent life on planet eBay at or below the executive suite level. Most of the communications (both voice and certainly email) you have with eBay are undoubtedly with computer algorithms, and not very smart ones at that; so, one has to presume that even any regular algorithmic analysis by eBay o
  • I wonder, apart from the AGM, and the furious bailing required to keep the rusting old scow afloat, what else has been going on at eBay between February and May? Then, I suppose we have to accept that there is little intelligent life on planet eBay at or below the executive suite level. Most of the communications (both voice and certainly email) you have with eBay are undoubtedly with computer algorithms, and not very smart ones at that; so, one has to presume that even any regular algorithmic analysis by
  • Although I've used eBay extensively for the last decade, I came to this conclusion about 6 months ago when I stumbled upon a new user who was attempting to sell about $200,000 of fake equipment. I knew the seller didn't own the items, as one of the higher-priced items listed pictures of the device that our company owns. The device itself is exceedingly rare and the pictures were taken in our facility. I called eBay no less than 4 times and spent about an hour each time working my way up their chain of supe
  • I published a note about this approximately 8 years ago: http://www.kb.cert.org/vuls/id... [cert.org]

Whenever a system becomes completely defined, some damn fool discovers something which either abolishes the system or expands it beyond recognition.

Working...