Active XSS flaw discovered on eBay

Active XSS flaw discovered on eBay

Summary: According to XSSed, Shubham Upadhyay has discovered an active XSS flaw affecting Ebay.com.

SHARE:
TOPICS: Security
3
Ebay_XSS_November_2012

According to XSSed, Indian security researcher Shubham Upadhyay has discovered an active XSS flaw affecting Ebay.com.

The potential attacker would need an Ebay seller account, where he would put XSS code into the HTML. The vulnerability could be used to trick users into trusting Ebay.com's reputable Web position in an attempt to serve client-side exploits to them. And that's just for starters.

Ebay.com is a popular target for malicious attackers, looking for ways to abuse and hijack the steady inflow of traffic hitting the site on a daily basis, and security researchers who on the other hand attempt to prevent abuse of the site by discovering and reporting security vulnerabilities to Ebay's Security Team.

Mozilla Firefox's NoScript proactively detects the XSS attempt, and blocks it.

The XSS flaw remains unfixed for the time being. eBay's Security Team has been notified.

Find out more about Dancho Danchev at his LinkedIn profile.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • I hate it when that happens

    " ... According to XSSed, Indian security researcher Shubham Upadhyay has discovered an active XSS flaw affecting Ebay.com. "

    ... i go to a rigged site / page and .. nothing. I navigate through countless pages and, again ... nothing. I'm kinda used to it now, it's been like that for more than 5 years.

    My FF and NoScript setup sure do make browsing a pretty uneventful, plain and easy does it experience. It's gotten so i can't even go to a webpage without breaking out in nonchalance.
    thx-1138_
  • Orly?

    So... Does it mean that eBay allows tag inside product pages' html?
    Isn't it too lamme?
    Rikkrdo
    • Heck

      Not even Zdnet allows it...
      *[script]* tag.
      Rikkrdo