CSRF Vulnerability in eBay Allows Hackers to Hijack User Accounts

The issue has been reported to eBay, but it's still unfixed

By Eduard Kovacs on September 16th, 2013 11:10 GMT

IT consultant and tech enthusiast Paul Moore has identified a few security issues on eBay, including a cross-site request forgery (CSRF or XSRF) vulnerability that can be exploited by hackers to compromise user accounts.

The expert has found that the eBay page which lets users update their profile is vulnerable to XSRF. That’s because the field which links it to the user’s active cookie is missing.

This allows hackers to submit the form with pre-populated data. The password cannot be updated by using this method. However, the information that’s needed to reset the password can.

The attacker simply needs to submit the form with his own phone number and postcode – information that’s required when resetting the password.

An eBay option allows the hacker to ask for the four-digit confirmation code to be sent to a phone number instead of an email address, specifically the number he had entered earlier when he submitted his own information.

Access to an eBay account doesn’t allow the hacker to steal the victim’s PayPal username and password. However, as Moore highlights, he doesn’t need this information.

The hacker can put a fictitious item up for sale (with a “Buy It Now” price) and bid for it from the victim’s account. 

Another major issue is that when the attacker submits his own information to update the victim’s account, he can also change the secret question. This means that even if the user changes his password, or the CSRF issue is addressed by eBay, the hacker can still gain access to the account.

The expert also warns that eBay doesn’t use SSL efficiently. When users log in to their accounts, the data is transmitted over SSL.

On the other hand, on subsequent pages, HTTP is used, allowing hackers to intercept the session cookie and use it to log in as the victim.

In addition to this, cookies are not flagged as HTTPOnly, which would make it a bit more difficult for cybercriminals to intercept them.

The researcher has informed eBay of his findings on August 5. The company responded immediately and promised to address the issue.

However, 43 days later, the flaw is still present. The expert told Softpedia that he checked the website once again while this article was being written.

On September 2, Moore attempted to get a status update, but eBay representatives informed him that they didn’t provide updates until the vulnerability was repaired.

Additional technical details on the eBay attack are available on the expert’s blog. Here is the video in which Moore demonstrates his findings:



Update. Moore has found that an identical flaw was reported to eBay back in 2010 by Israeli security researcher Nir Goldshlager.

"It's either been vulnerable for 3 years+ or an update has reintroduced the exploit," Moore noted.
Arbitrary data can be submitted to eBay
2 photos
   Arbitrary data can be submitted to eBay

Photo Gallery (2 Images)

Gallery Image
01
Gallery Image
02
MORE ON THIS TOPIC
LATEST NEWS
HOT RIGHT NOW

Comments