Showing results for 
Search instead for 
Did you mean: 
Silver VIP

Exploit of eBay site flaw could allow account takeover

A serious vulnerability, which gives saboteurs the means to take over victims' accounts, plagued eBay's website for at least several months, a researcher revealed.

According to Paul Moore, a UK-based IT consultant, an eBay page where users update their profiles remained vulnerable to cross-site request forgery (CSRF) attacks long after he first notified the company about the issue in August.

Last Friday, security news service Threatpost published an article on the threat, including email correspondence from Moore, which said he'd “given up [on] asking eBay” to remediate the issue and was now focused on educating users. In September, Moore began blogging about the vulnerability.

On Monday, followed up with Moore, who said via email that he was aware that eBay had “made some changes” that afternoon to fix the issue. Moore added, however, that he planned to re-test whether the problem still impacted the site. (According to Moore's blog, eBay has said that the vulnerability was resolved in the past, while his followup research showed otherwise.)

To hijack an eBay account, a saboteur would need authentication (a victim's username and password) in addition to carrying out the CSRF attack. Via his blog post, Moore explained that the attack must be carried out during an active eBay web session as cross-site request forgery "exploits the trust a web site has in a user's browser."


Full Topic  beta_tester_transparent.png

Luminary Signature.png

2016-07-18_12-11-32.png  Microsoft® Windows Insider MVP - Windows Security