14 DAY TRIAL // Unknown scammers have successfully launched a cross site scripting (XSS) attack on eBay. The attack has bypassed Firefox and IE security measures, as it has rewritten the pages with the help of externally-hosted XBL (XML Binding Language).
The behavior of this scam involves rewriting the auction pages right after their original version is loaded. This is achieved by calling on an external CSS file, which in turn calls for the XBL code to change the content on the page. The resulting pages claim that the users have to e-mail the seller for pre-approval before bidding.
In order to make it hard for individuals to report the scam, the auction's ID number, which should be unique, has also been modified. The purpose of this attack, except for the obvious e-mail address mining, is not yet clear.
As it turns out, the bug being exploited in this scam is several years old, but it has sparked a heated discussion between Firefox developers as to whether this is actually a vulnerability or a feature, and if it should be fixed at the browser level or at the website one.
Firefox restricts the location of an invoked XBL file, which can be used to rewrite content, to be of the same origin as that of the document that calls it. This means that if an XBL document is called from an HTML document on domain X, the XBL file also has to be hosted on domain X. This is referred to as a "same-origin policy."
It also applies to XBL being called from CSS through the expression() function for IE and the special -moz-binding property for Firefox. However, if an HTML page loads an externally-hosted stylesheet (CSS) file, which in its turn loads an XBL file, according to the policy, the XBL needs to have the same origin as the CSS and not as the original HTML document.
Loading external stylesheets is considered a potentially dangerous behavior and can be prevented at the website level, but for some reason the eBay website has had no such blocking mechanism in place. According to The Register, an eBay spokesperson has commented that "This is not a new security threat, our online security experts are already aware of this and have identified it as a known bug in Firefox. eBay utilizes sophisticated security technologies to protect our customers against attacks such as this. We continually update our security to deal with emerging threats – and have done so with this threat."
Some Firefox developers disagree, saying that even without XBL rewriting the content, much can be done with malicious CSS alone. "I think the relevant features of this attack could in fact be carried out in a browser that implements CSS3 Generated Content with a bit more effort, and most likely in one that implements just CSS2.1 Generated Content with another bit more effort. At least in terms of totally changing what the user sees," one coder explains.
Nevertheless, it has been decided to address this at the browser level and Firefox will soon see a patch in this respect. Meanwhile, according to Bill Sisk, Microsoft's security response communications manager, as quoted by The Register, the Redmond giant has no plans to fix the issue for Internet Explorer 7 and earlier versions. Internet Explorer 8 is not affected, as it already has the expression() functionality disabled.