Simple eBay security flaw exposed millions of users to spear phishing campaigns

EBay has patched a severe XSS security vulnerability which exposed potentially millions of users to phishing campaigns and subsequent data theft.

Despite being informed of the bug privately, the online auction trading site allegedly left a critical XSS flaw open to abuse on the ebay.com domain, and only rallied to fix the issue after the media caught wind of the flaw.

An independent security researcher nicknamed MLT discovered the XSS issue and explained his findings in a blog post on Monday.

"This is a fairly basic vulnerability (no WAF bypass or anything of that sort required) on a site where XSS would generally be considered a huge issue (even more so since the main domain is involved)," the researcher says.

The Cross-Site Scripting (XSS) vulnerability, implemented through Java, allowed an attacker to inject their own malicious page within eBay via an iframe. MLT leveraged the weakness in eBay's domain to inject a login page into eBay's URL system, which made the malicious URL look like it was hosted on the legitimate eBay website.

The researcher's code resulted in an error for potential victims attempting to log in on the fraudulent page, but resulted in their credentials being theoretically captured in plain text.

Once the source code of eBay is copied or a program is used to replicate the website, then users are unlikely to be suspicious when it comes to these kinds of spear phishing tactics -- which could lead to rampant data theft and circumvents the use of encryption and password hashes used on legitimate eBay login pages.

The proof-of-concept video below shows the security flaw in action:

The security flaw paved the way for phishing campaigns to be levied against eBay users. While we often see phishing emails in our email inboxes, XSS-based spear phishing campaigns can be far more damaging as an injection into the vulnerable eBay domain could lead to malicious code targeting visitors in order to hijack their accounts or harvest credentials.

When you consider how many millions of users eBay caters for, this is a critical problem.

According to MLT, the researcher waited a month without a response to their submission. While the problem is now fixed, MLT said, "they only rushed to patch the vulnerability after the media contacted them about it."

In a statement, an eBay spokesperson told ZDNet:

"We did indeed receive the researcher's submission on the 11th of December, and did respond to the initial email address that he submitted the report to on the 12th.
However, he followed up with a different email alias, which resulted in a bit of miscommunication. We have since been in contact with the researcher and have fixed them."

The best business gadgets at CES 2016

Read on: Top picks

• Top gadgets and accessories for hardware and data security
• How to launch an effective Red team enterprise hack
• In Ashley Madison's wake, here's one man's story of sex, sorrow and extortion
• Your business has suffered a data breach. Now what?
• 10 things you didn't know about the Dark Web