Menu
Latest eBay flaw is a rookie mistake for a website

Latest eBay flaw is a rookie mistake for a website

Researchers have also discovered that the eBay site suffers from serious security issues.

A U.K. based security researcher showed how eBay is vulnerable to a cross-site scripting attack that could potentially be used to hijack user accounts.

A U.K. based security researcher showed how eBay is vulnerable to a cross-site scripting attack that could potentially be used to hijack user accounts.

When it rains it pours for eBay. Less than a week after the popular website revealed it was the victim of a massive data breach and directed users to change their passwords, researchers have discovered that it is vulnerable to serious flaws that could allow an attacker to access user accounts. Individuals need to know how to guard against falling victim to these security issues, and other businesses need to learn from eBay's mistakes and do a better job of protecting resources on the Web.

The flaw in question is a cross-site scripting (XSS) vulnerability discovered by a 19-year-old college student in the United Kingdom. An XSS flaw can allow an attacker to inject malicious code into an otherwise legitimate website. The attacker can intercept a user's session cookie enabling them to gain access to the user's account and interact with the site as that user.

"Cross-Site Scripting (XSS) vulnerabilities are fairly common web application bugs that have been well understood by security professionals for a very long time," says Tom Cross, director of security research for Lancope. "They can have significant consequences as they can be leveraged by attackers to gain access to victim's accounts."

eBay is not the first major website to leave its site exposed to a cross-site scripting vulnerability. CNN and PayPal have also made this mistake. Though XSS vulnerabilities are common, there are tools and techniques available to test for them so they can be resolved before the code is used on a live website.

"Any organization that runs a website should be testing their code for these vulnerabilities before they go into production," Cross said. "In addition, web application firewalls can often detect and block attacks on XSS vulnerabilities."

As far as individual users go, there are a few ways you can guard against cross-site scripting attacks. For starters, disable JavaScript, or at least restrict it so that JavaScript can only run from trusted domains. You can also use browser plugins like NoScript for Firefox or configure the Security Zones in Internet Explorer to whitelist trusted sites and only allow scripts to run from those sites.

You should also make sure you keep your operating system and applications patched to minimize exposure from known vulnerabilities and run up-to-date security software to prevent malicious code from executing on your system.

Subscribe here for up-to-date channel news

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags cross-site scripting flawXSSsecuritydata breachebay compromisedebayweb securityExploits / vulnerabilities

Featured

Slideshows

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards

Revealed at a glitzy bash in Sydney at the Ivy Penthouse, the first StorageCraft Partner Awards locally saw the vendor honour its top-performing partners with ASI Solutions, SMBiT Pro, Webroot, ACA Pacific and Soft Solutions New Zealand taking home the top awards. Photos by Maria Stefina.

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards
Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip

Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip

​Synnex and Lenovo hosted 18 resellers for an action-packed weekend adventure in RotoVegas, taking in white water rafting on the Kaituna River, as well as quad biking and dinner at Stratosfare​, overlooking Lake Rotorua at the top of Mount Ngongotaha​. Photos by Synnex.

Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip
Show Comments