Severe Vulnerability At eBay's Website 60
New submitter Golem.de (3664475) writes with another security problem at eBay: "The German security expert Micheal E. discovered the persistent cross-site scripting vulnerability on eBay's website about two months ago and said he reported it to Ebay immediately. Ebay ceased to answer his emails, after writing that they considered it a mostly harmless error. Micheal E. sent Golem.de a PoC demonstrating that the error that has not yet been fixed. An attacker can manipulate an official auctioning web page and insert Javascript code. By visiting the malicious web page the code is executed by the victim and could potentially be used by the attacker to to execute arbitrary actions in the victim's Ebay account and gain full control over it. There is probably no connection to the huge database theft reported a few days ago. The XSS flaw can only be used to attack one victim at a time."
Get rid of it (Score:5, Funny)
Well if eBay doesn't want his exploit, perhaps he should auction it off to the highest bidder... isn't there a site for that?
Sounds like the eBay I knew... (Score:5, Interesting)
Ebay ceased to answer his emails, after writing that they considered it a mostly harmless error. Micheal E. sent Golem.de a PoC demonstrating that the error that has not yet been fixed.
I used to make my living selling stuff on eBay some years ago. This sounds like par for the course when it comes to eBay's coding competence. We developed some custom software to handle our listings and other activities and to say eBay's code was poor was a gross understatement. Their security procedures were haphazard and arbitrary and they didn't seem to care much. Maybe they've gotten better in the last 7 years but based on what I'm reading lately it seems not so much.
Re: (Score:2)
There's nothing so bad that could not be worse.
eBay is going to Brazil. Guess what? I'm happy.
Our currently "best" auction site, Mercado Livre, is so broke that sometimes I speculate if these guys are operating in bad faith (I know for sure that they would had be sued if they operated in USA).
Re: (Score:2)
Hmm? Brazil and Argentina have "mercado livre" for years, and AFAICT they're ebay with a different name (same platform).
Yep. Until not that much time ago, M.L. was a fine place to buy and sell. But from some years to now, things changed - user's support is near zero, you just can't make a complaint online. Too much rules are relaxed, what favors bad faith sellers.
EBay was a partner until recently, but what we heard is that eBay got fed with all that and decided to do business directly around here. What is one of the best noticies we got in years : we *need* competition around here.
I found something here [abril.com.br] to supports what I'm
Re: (Score:2)
Re: (Score:1)
Right, because ebay is not a software development company. They *also* need software to facilitate their core business. So, code quality just isn't to them what it would be to someone else.
Further, as I understand, legally ebay is also not an auction house. Thus, they are not beholden to regulations intended to protect their end-users. This further reduces their incentive to invest in security.
The "just get it working" battle cry is all too common. So long as nothing bad has happened yet...and the cash
employee (Score:5, Insightful)
I heard the problem at eBay was that an employee's login had been compromised (via social engineering apparently, but we might never know).
Regardless of how that happened, that an employee was able to login from a remote location shows the sad state of affairs of security today.
When I worked at a credit reference agency, security was top priority - as if you lost someone else's data (eg a banks) then said bank would withdraw your access to their data, and that meant you couldn't continue to do business.
So we had the production servers in a datacentre that were physically disconnected to the internet. You wanted to update your SQL, someone had to go there (it was very close :) ) to update things. The only connection to the outside world was the web servers, and they had access solely to locked-down services that in turn solely had access to the parts of the DB that they needed to read from.
Layers of security like this mean that if you get your web site hacked (as happens, frequently) the attacker cannot do much damage. They must hack the services layer as well (which means attacking the OS they run on, through a very narrow firewall) and even then they would have to hack the OS security to gain access to a limited section of data. They'd have to further hack the DB to get access to all the data.
So no-one could ever realistically dump the entire user table in that system. Why anyone lets websites do less is a mystery to me.
Note: Even so-called "security editors" fall intot he camp of thinking layered security is not necessary. In this ArsTechnica story [arstechnica.com], the 'promoted comment' describes a riposte where the poster says the web server needs a direct connection to the web server!!! I can understand some junior web dev thinking it, I can't imagine anyone who knows security taking it seriously, yet many did. This is why we have breach after breach.
Re: (Score:1)
Don't be too proud of yourself.
I went to a Defcon presentation showing a website that used REST services. With the REST services they were able to run any command they wanted to on the DB backend, through the firewall without compromising the OS or showing the web server doing anything strange. They backed up the DB and sent it to themselves with the default REST calls Java provided. It was actually that bad of a security hole, but required Java REST services providing the web pages.
A week later at my wo
Re: (Score:2)
"web server needs a direct connection to the web server" - i assume you meant "database server" in the last one.
so how do you code a website like ebay without accessing the database ? what's the point of disconnected servers - do you get somebody manually bringing requests to/from the webservers ? that would make search rather slow...
Re: (Score:2)
Why do you say "the" database? They at the very least need 2 already. IMO payment data and logins need to be behind narrow firewalls with very limited pure socket (ie. not database) interfaces to the outside (why open yourself up to flaws in the database interfaces when you only need trivial queries?). Might as well split those up into two while you're at it.
Re: (Score:2)
true, but parent said "So we had the production servers in a datacentre that were physically disconnected to the internet." - how should that work for products that do not do massive offline data crunching, i do not know...
Re: (Score:2)
So in a way, yes, there is a request to & from web servers but it's softwar
Re: (Score:2)
sure. but how do you have backend servers "physically disconnected to the internet." ?
that seems to be either an ignorant claim, or a flamebait :)
Re: (Score:2)
You know of things like "teleworking" or "telecommuting" right? And some companies, especially technology ones, tend to have a LOT of people who do that. Heck, they may not even live in the same COUNTRY as the company. In fact, most
Re: (Score:2)
Give each employee who teleworks a dedicated computer with hardware VLAN which he is only allowed to use on that VLAN (ie. no USB ports, no internet, no nothing ... if he wants to copy/paste something to it from another source sysadmins have to get involved).
It's the only reasonable way to allow telework on systems like this ... if you want to BYOD for that you should be redirected to the unemployment office.
That's excessive (Score:2)
Oh come on, there are plenty of perfectly reasonable compromises you can make there. For example, require that the user have an additional authentication factor for remote login. TOTP (things like Google Authenticator) is popular, but (physical) smart cards are more secure.
Make it so that remote login can only be performed from a machine which has a client certificate on it that is tied to the user in question. There are a range of ways to do this, of varying degrees of usability vs. security/paranoia. Putt
Re: (Score:2)
Why steal all that shit when they can just own your computer with some zero day and wait for you to go to the bathroom?
Re: (Score:2)
eBay slipped on this one because they detected the compromised account as merely a misuse of employee web privileges, a minor sort of issue perhaps to be mentioned by said employee's manager at their next review. Nobody noticed the scope of the issue until much later.
Anyway, remote employees are the rule everywhere these days. They're either the boss working from home or minions unworthy to have a company desk, or all the jobs that have been outsourced.
The plenty of projects going on these days where not
Most big businesses are staffed by idiots... (Score:5, Informative)
...but run by excellent salespeople.
Capitalism is 90% salesmanship.
Re:Most big businesses are staffed by idiots... (Score:5, Funny)
Capitalism is 90% salesmanship.
and the other 12% is math.
erm.. (Score:2)
So how about a write-up in English Mr. Golem?
Re: (Score:2)
Yeah, how about a write-up in English [google.com]?
Fuck ePay (Score:5, Informative)
ePay is so hostile for anyone selling casually its no longer worth your time. Paypal now holds onto your funds for weeks if you haven't sold anything recently and your feedback score or number of auctions makes no difference. No matter what small item is sold everyone complains. As a seller you'll automatically lose any complaint filed against you. People overpay for items and then complain something is wrong and then pick arbitrary partial refund values. The auction fees themselves have gotten ridiculous, over 10% on small items. As a buyer you won't find any auction deals. That time has long past. Now its mostly a marketplace for Chinese storefronts.
Why can't someone come up with an alternative? Google has a payment system up and running so why can't they make a competitor?
Re: (Score:2)
Google's payment system only work in a handful of countries. PayPal works almost everywhere on the planet.
Re: (Score:2)
The power of network effects (Score:2)
Google has a payment system up and running so why can't they make a competitor?
Because Google is an advertising company, eBay's profit margins are half of Google's, and Google has no realistic chance at taking over eBay's business anyway short of buying them outright. EBay is a great example of the power of the networking effect. They aren't particularly good at technology but they have the network effect working for them big time. It's the place with the most sellers and the most buyers so it is REALLY hard to displace them because anywhere else you aren't as likely to get a sale
Re: (Score:3)
Paypal now holds onto your funds for weeks if you haven't sold anything recently and your feedback score or number of auctions makes no difference.
There must be something that makes a difference, as I hadn't sold anything in years, but recently sold over $1000 of server hardware and the money was available to me immediately. I have perfect feedback, and used to sell a lot, when eBay was mostly private individuals.
As a buyer you won't find any auction deals.
I still buy sometimes, if I know exactly what I want (searching without the right keywords can lead to lots of useless results). I have found some great deals, again mostly on server hardware, but often on "accessories" for other items that a
Re: (Score:2)
There must be something that makes a difference, as I hadn't sold anything in years, but recently sold over $1000 of server hardware and the money was available to me immediately.
There is a difference. When they rolled the 24 sided die your number was the lucky number 7. The other 23 people are still waiting for their funds to be freed up.
Joking aside I see absolutely zero pattern. I've bought and sold without problem. I've received refunds and filed complaints without problem. Then randomly one day I get a refund for $30 because the seller didn't actually have in stock the item he was selling and Paypal holds my funds for 30 days with no offer for recourse. It wasn't even a case of
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
If you qualify this as "buying certain things overseas" that covers the vast majority of governments. Also transnational businesses also tend to want to
Re: (Score:2)
Re: (Score:1)
ePay is so hostile for anyone selling casually its no longer worth your time.
All fascinating since I've been selling small lots since forever, and those problems are not common at all. I guess you must just be completely cursed.
Re: (Score:2)
I recommend craigslist + amazon payments
Re: (Score:3)
And let's not forget the fact that you can't leave negative feedback for a shitty buyer anymore. Or get a negative feedback rescinded. I have a negative on my seller account from a buyer who didn't like the size of the address label I put on the shipping box, a negative which eBay refused to remove.
A few years back I had a package returned unopened. Emailed the buyer to see what happened (thinking maybe I had the address wrong). No reply. Kept sending emails, about three weeks later I finally get a response
Not too convincing... (Score:4, Insightful)
The linked article has zero information regarding this attack and instead focuses on eBay's attack history; once more, it also links to it's own eBay page so +1 for that.
The one hint it does include is a picture [golem.de] and in the picture you can see that the JavaScript is being inserted into the title of the listing (not sure if that's the actual vulnerability or not though). However, as a security researcher, showing a PoC against a large company requires more than a simple alert(1) and instead should use something such as alert(document.domain). The reason for document.domain is because it will show what hostname the JavaScript is executing under - which means everything when it comes to security.
If this is really an XSS hole and eBay comes back with "it's not that bad", there's a good chance that the JavaScript is executing in an iframe on a separate domain which means attackers would not have important access such as a user's cookies / etc. Instead, they'll only be able to execute arbitrary JavaScript (which is bad, but nothing worse than setting up a bad domain and using SEO tricks to drive traffic to it).
Can anyone find a more relevant article that spills out the actual details of this, or maybe one that includes the actual PoC this researcher has created?
Re: (Score:2)
Just fixed this, thanks.
Re: (Score:1)
This is /. -- they have no standards.
Hell, they let us post here.
eBay !!! (Score:1)
eBay! (Score:1)
eBay Really Doesn't Give a Flying F*ck (Score:1)
This isn't anything new (Score:2)
I published a note about this approximately 8 years ago: http://www.kb.cert.org/vuls/id... [cert.org]