12-30-2013 04:07 PM
A serious vulnerability, which gives saboteurs the means to take over victims' accounts, plagued eBay's website for at least several months, a researcher revealed.
According to Paul Moore, a UK-based IT consultant, an eBay page where users update their profiles remained vulnerable to cross-site request forgery (CSRF) attacks long after he first notified the company about the issue in August.
Last Friday, security news service Threatpost published an article on the threat, including email correspondence from Moore, which said he'd “given up [on] asking eBay” to remediate the issue and was now focused on educating users. In September, Moore began blogging about the vulnerability.
On Monday, SCMagazine.com followed up with Moore, who said via email that he was aware that eBay had “made some changes” that afternoon to fix the issue. Moore added, however, that he planned to re-test whether the problem still impacted the site. (According to Moore's blog, eBay has said that the vulnerability was resolved in the past, while his followup research showed otherwise.)
To hijack an eBay account, a saboteur would need authentication (a victim's username and password) in addition to carrying out the CSRF attack. Via his blog post, Moore explained that the attack must be carried out during an active eBay web session as cross-site request forgery "exploits the trust a web site has in a user's browser."