Menu
Latest eBay flaw is a rookie mistake for a website

Latest eBay flaw is a rookie mistake for a website

Researchers have also discovered that the eBay site suffers from serious security issues.

A U.K. based security researcher showed how eBay is vulnerable to a cross-site scripting attack that could potentially be used to hijack user accounts.

A U.K. based security researcher showed how eBay is vulnerable to a cross-site scripting attack that could potentially be used to hijack user accounts.

When it rains it pours for eBay. Less than a week after the popular website revealed it was the victim of a massive data breach and directed users to change their passwords, researchers have discovered that it is vulnerable to serious flaws that could allow an attacker to access user accounts. Individuals need to know how to guard against falling victim to these security issues, and other businesses need to learn from eBay's mistakes and do a better job of protecting resources on the Web.

The flaw in question is a cross-site scripting (XSS) vulnerability discovered by a 19-year-old college student in the United Kingdom. An XSS flaw can allow an attacker to inject malicious code into an otherwise legitimate website. The attacker can intercept a user's session cookie enabling them to gain access to the user's account and interact with the site as that user.

"Cross-Site Scripting (XSS) vulnerabilities are fairly common web application bugs that have been well understood by security professionals for a very long time," says Tom Cross, director of security research for Lancope. "They can have significant consequences as they can be leveraged by attackers to gain access to victim's accounts."

eBay is not the first major website to leave its site exposed to a cross-site scripting vulnerability. CNN and PayPal have also made this mistake. Though XSS vulnerabilities are common, there are tools and techniques available to test for them so they can be resolved before the code is used on a live website.

"Any organization that runs a website should be testing their code for these vulnerabilities before they go into production," Cross said. "In addition, web application firewalls can often detect and block attacks on XSS vulnerabilities."

As far as individual users go, there are a few ways you can guard against cross-site scripting attacks. For starters, disable JavaScript, or at least restrict it so that JavaScript can only run from trusted domains. You can also use browser plugins like NoScript for Firefox or configure the Security Zones in Internet Explorer to whitelist trusted sites and only allow scripts to run from those sites.

You should also make sure you keep your operating system and applications patched to minimize exposure from known vulnerabilities and run up-to-date security software to prevent malicious code from executing on your system.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags cross-site scripting flawXSSsecuritydata breachebay compromisedebayweb securityExploits / vulnerabilities

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments