14 DAY TRIAL // An XSS (cross-site scripting) bug on eBay's main domain (ebay.com) would have made phishing campaign operators' life a lot easier if they had known about it.
The bug, discovered by a hacker known as MLT, is a simple reflected XSS attack that would allow an attacker to append special parameters at the end of a ULR and trigger the eBay site to execute malicious code in the user's browser.
MLT states that, because the "HttpOnly" flag is set on the ebay.com domain, attackers wouldn't be able to steal user cookies via this flaw, but this doesn't protect users from other types of more complex attacks.
XSS bug could have been very useful in phishing attacks
In a detailed blog post, the hacker walked readers through step-by-step instructions on how to create a phishing page for eBay's login screen.
Once this HTML clone was created, he put together a PHP file that would take data from the fake eBay login fields and then write it to a log.txt file. When done, he hosted this fake eBay login page on his server so it could be available online.
Using the XSS bug he first discovered, he crafted a malicious ebay.com URL, which used parameters that loaded an iframe on top of the real eBay page.
This iframe was set to load MLT's fake login. Because the XSS bug allowed the attacker to use the official ebay.com domain, users would have never suspected a thing.
eBay fixed the issue before it became a problem
Sending this malicious link in email or social media spam would have allowed the hacker to collect eBay passwords from all users that clicked it and then authenticated on the site.
Of course, to mask the fake login, using JavaScript code on the fake login page, he could have automatically redirected users to a real eBay page, and made the phishing page disappear as soon as the credentials were stolen.
MLT says that he reported the issue to eBay, who fixed it in the meantime. MLT cites some issues during the disclosure process, revealing that eBay rushed to fix the bug only when he leaked details to the press, and media representatives were inquiring the company about the problem.
We have contacted eBay for a statement. We'll update the article once MLT publishes more details about the disclosure timeline or eBay responds.
