Menu
Latest eBay flaw is a rookie mistake for a website

Latest eBay flaw is a rookie mistake for a website

Researchers have also discovered that the eBay site suffers from serious security issues.

A U.K. based security researcher showed how eBay is vulnerable to a cross-site scripting attack that could potentially be used to hijack user accounts.

A U.K. based security researcher showed how eBay is vulnerable to a cross-site scripting attack that could potentially be used to hijack user accounts.

When it rains it pours for eBay. Less than a week after the popular website revealed it was the victim of a massive data breach and directed users to change their passwords, researchers have discovered that it is vulnerable to serious flaws that could allow an attacker to access user accounts. Individuals need to know how to guard against falling victim to these security issues, and other businesses need to learn from eBay's mistakes and do a better job of protecting resources on the Web.

The flaw in question is a cross-site scripting (XSS) vulnerability discovered by a 19-year-old college student in the United Kingdom. An XSS flaw can allow an attacker to inject malicious code into an otherwise legitimate website. The attacker can intercept a user's session cookie enabling them to gain access to the user's account and interact with the site as that user.

"Cross-Site Scripting (XSS) vulnerabilities are fairly common web application bugs that have been well understood by security professionals for a very long time," says Tom Cross, director of security research for Lancope. "They can have significant consequences as they can be leveraged by attackers to gain access to victim's accounts."

eBay is not the first major website to leave its site exposed to a cross-site scripting vulnerability. CNN and PayPal have also made this mistake. Though XSS vulnerabilities are common, there are tools and techniques available to test for them so they can be resolved before the code is used on a live website.

"Any organization that runs a website should be testing their code for these vulnerabilities before they go into production," Cross said. "In addition, web application firewalls can often detect and block attacks on XSS vulnerabilities."

As far as individual users go, there are a few ways you can guard against cross-site scripting attacks. For starters, disable JavaScript, or at least restrict it so that JavaScript can only run from trusted domains. You can also use browser plugins like NoScript for Firefox or configure the Security Zones in Internet Explorer to whitelist trusted sites and only allow scripts to run from those sites.

You should also make sure you keep your operating system and applications patched to minimize exposure from known vulnerabilities and run up-to-date security software to prevent malicious code from executing on your system.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags web securityebayXSSExploits / vulnerabilitiescross-site scripting flawebay compromised

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments