EBay has patched three serious security vulnerabilities recently discovered within the firm's e-commerce system Magento, the heart of the eBay platform.
Revealed late last week by security researcher Hadji Samir from Vulnerability Lab, three vulnerabilities, now patched, were found within the Magento open-source e-commerce platform, now fully owned and used by eBay to support online shopping and transactions.
The researcher posted the Magento security advisories on Full Disclosure and Vulnerability Lab. The researcher's advisories reveal the vulnerabilities ranked as "medium" flaws.
The first, a client-side Cross-Site Request Forgery (CSRF) flaw, was discovered within the official Magento Commerce Premium Theme front-end web application. The XSS vulnerability allows remote attackers to inject scripts into the application-side of the online service module, which in turn allows hackers to conduct "client-side account theft by hijacking, client-side phishing, client-side external redirects and the non-persistent manipulation of affected or connected service modules," according to Samir.
The second vulnerability relates to input validation, and can be exploited by hackers with low privilege user accounts on the application side.
The third security issue, a client-side CSRF vulnerability, was found within the Magento application's messages module. Remote attackers with low privilege user accounts are able to delete the internal Magento messages of other users without consent, and man-in-the-middle (MITM) attacks can be launched to intercept user sessions and delete existing messages. According to Samir, this vulnerability was disclosed "some years ago."
The vulnerabilities were submitted to the eBay security team through the company's Bug Bounty program in March. EBay's team responded in the following month and a patch was issued to fix the security flaws in May.
Read on: Top picks
- The five pillars of social selling in the enterprise
- Father's Day 2015: A tech gift pack for under $100
- Severe iOS bug prompts iCloud password theft
- Europol arrests 49 alleged cybercriminals in financial fraud crackdown
- Poweliks Trojan goes fileless to evade detection and removal
- Hackers control medical pumps to administer fatal doses