A critical cross-site scripting (XSS) vulnerability has been prevalent on eBay for more than a year now, and the company can’t care to fix the vulnerability even though its quite severe.
Estonian researcher, Jaanus Kääp, is the one who initially discovered the XSS flaw over a year ago when he was testing the security of web apps. Due to eBay’s lack of recognition, Kääp decided to disclose the critical flaw on Full Disclosure, Tuesday.
Kääp outlines that he emailed eBay’s security team four times over the course of an entire year, where eBay did nothing about it. After repeated emails, eBay officials told Kääp they could not release any information regarding their patch schedule, a day that never came. Kääp emailed them various times regarding the bug, only to receive an automated reply. The company went on to further ask Kääp not to disclose the bug publicly, but never gave him a timeline regarding their schedule.
Kääp said the lack of initial emails seemed regular, and he assumed eBay would patch the hole in a timely manner, as the bug appeared to be an easy fix. Kääp said he was appalled to log-in to eBay a year later and still find the critical XSS flaw.
“It was still there,” Kääp wrote in his blog post Tuesday, disclosing the XSS. “So it must not be as dangerous as I thought and no harm can happen from making it public.”
According to Kääp’s research, the vulnerability could allow an attacker to execute an XSS attack over eBay’s internal messaging system, simply by catching and altering a request. Kääp warned the flaw could be a “high issue” for targeted attacks due to eBay’s session cookies not being HTTPonly.
Kääp initially uncovered the vulnerability when attaching a photo to a private eBay message, uploading it to the server, and then modifying the GET/header request he captured. When injecting the photo and altering the request, the payload executed.
Kääp outlines the steps he took to execute the attack:
- Start by sending a message to another eBay user through the “this is not about an item” form.
- Select the “attach photos” button and upload the picture while catching the request itself with Burp or another proxy.
- Modify the GET parameter named “picfile” and header named “X-File-Name” to contain your payload.
- If executed properly, an image should appear in the message where you can now complete the form and click send. You will then need to catch the request again with the same proxy.
- Kääp said for good measures he also modified the file name in this specific request.
- RESULT: When the target opens the message, the XSS attack will execute right on the screen.
To validate with proof-of-concept, Kääp showed that attack in action with a small XSS alert on the victims machine, but stated there may be no limitations to the factors of the XSS payload. Kääp also said the XSS vulnerability could be combined with other attacks. Such would make it easy to create a new user without email verification to execute further attacks.
eBay isn’t the only major company that lacks urgency when it comes to severe vulnerabilities, just two months ago we disclosed TMZ.com was still vulnerable to the Heartbleed bug over a year later. The severe flaw has since been recently patched on the site.
It remains unknown why eBay has decided the shelve Kääp’s vulnerability. The company has chosen not to publicly speak on the recent vulnerability or disclosure as of yet.