A simple, yet effective flaw discovered on eBay's website exposed hundreds of millions of its custom

frogboy · Jan 13, 2016

An Independent Security Researcher reported a critical vulnerability to eBay last month that had the capability to allow hackers to host a fake login page, i.e. phishing page, on eBay website in an effort to steal users' password and harvest credentials from millions of its users.

The researchers, nicknamed MLT, said anyone could have exploited the vulnerability to target eBay users in order to take over their accounts or harvest thousands, or even millions, of eBay customers credentials by sending phishing emails to them.

MLT published a blog post about the eBay flaw on Monday, demonstrating how easy it is to exploit the flaw like this and steal customers' passwords.

Here's How ebay Hack Works

The flaw actually resided in the URL parameter that allowed the hacker to inject his iFrame on the legitimate eBay website.

This is a common web bug, technically known as a Cross-Site Scripting (XSS) vulnerability, in which attackers can exploit the vulnerability to inject malicious lines of code into a legitimate website.

Full article. Simple Yet Effective eBay Bug Allows Hackers to Steal Passwords - The Hacker News

DracusNarcrym · Jan 13, 2016

frogboy said:
An Independent Security Researcher reported a critical vulnerability to eBay last month that had the capability to allow hackers to host a fake login page, i.e. phishing page, on eBay website in an effort to steal users' password and harvest credentials from millions of its users.

The researchers, nicknamed MLT, said anyone could have exploited the vulnerability to target eBay users in order to take over their accounts or harvest thousands, or even millions, of eBay customers credentials by sending phishing emails to them.

MLT published a blog post about the eBay flaw on Monday, demonstrating how easy it is to exploit the flaw like this and steal customers' passwords.

Here's How ebay Hack Works

The flaw actually resided in the URL parameter that allowed the hacker to inject his iFrame on the legitimate eBay website.

This is a common web bug, technically known as a Cross-Site Scripting (XSS) vulnerability, in which attackers can exploit the vulnerability to inject malicious lines of code into a legitimate website.

Full article. Simple Yet Effective eBay Bug Allows Hackers to Steal Passwords - The Hacker News

I can verify that this can actually work - it's not just some crazy, impossible and rare exploit which only theoretically poses a risk to users.
eBay had better act up against this or there might be trouble...

frogboy · Jan 13, 2016

DracusNarcrym said:
I can verify that this can actually work - it's not just some crazy, impossible and rare exploit which only theoretically poses a risk to users.
eBay had better act up against this or there might be trouble...

That is a scary thought that you can confirm this.

DracusNarcrym · Jan 13, 2016

Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.

SOURCE: Cross-site scripting - Wikipedia, the free encyclopedia

LabZero · Jan 13, 2016

Unfortunately the online-stores are a gold mine for attackers continually seeking vulnerabilities to exploit.

Search

A simple, yet effective flaw discovered on eBay's website exposed hundreds of millions of its custom

frogboy

In memoriam 1961-2018

DracusNarcrym

Level 20

frogboy

In memoriam 1961-2018

DracusNarcrym

Level 20

LabZero

Similar threads