A while ago the internetwache discovered a vulnerability on ebay.com. Vulnerabilites in such big websites like ebay are more explosive, because of the large user base which might be affected by the vulnerability.
The decision to scan ebay.com for vulnerabilites was very spontanious, because we thought that we would not discover anything there. However, in the end we discovered a tiny XSS vulnerability what proofs us once more, that no system can be 100% secure. A lot of people use ebay as a platform to buy or to sell their goods online. Buyers and vendors can be rated after every deal. A good reputation is necessary to be classified as trust-worthy, but the reputation is bound to the account thus an accoujnt-takeover because of a vulnerability might end up in a nightmare for the customer.
Thanks to a previous report about a XSS on ebay.de published on heise.de, we know where to report the security issue. Ebay is running a responsible disclosure program and offers a contact form for security researchers. We sent the email on the 26th of august 2013 and thought that a big company like ebay would fix the issues asap.
The first response which we received after two days stated that the email has been forwarded to the developers. Then we haven’t received any feedback or status update for a whole month so that we decided to ask for an update using twitter. The twitter support managed to let the developers send us a status update. The update stated that they’re still working on a fix. We could not believe that, because fixing a cross site scripting issue should not be that hard.
The XSS was located at the subdomain “reifen.ebay.com” so that stealing session should not be possible (thanks to SOP), but that does not prevent someone from creating a phishing page. Six weeks (03rd of november 2012) passed until we noticed that the problem was resolved by paypals security team. We asked them whether they can verify that the problem does not longer exist. Ebays security team acknowledged the fix and listed our namens in the their hall of fame.
We would like to thank ebay for the fix and the entry in their hall of fame.
The team of Internetwache.org
Screenshots:
