Ofer For You (1)

Monday 11 August 2014

Worst Day for eBAY, Multiple Flaws leave Millions of Users vulnerable to Hackers

By "Kunal Vohra" Director@H2K




It's not been more than 36 hours since eBay revealed it was hacked and we just come to know about three more critical vulnerabilities in eBay website that could allow an attacker to compromise users' account once again, even if you have already reset your account password after the last announcement.

Yesterday eBay admitted to the massive data breach that affected 145 million registered users worldwide after its database was compromised. eBay urged its 145 million users to change their passwords after the cyber attack, but are passwords enough? eBay Data breach happened mainly because of their vulnerable infrastructure, not weak passwords.

I think eBay's morning just going to be bad to worse as today, three Security researchers came forward with three more different types of critical flaws in eBay website that leave its 145 million users vulnerable to hackers.

HACKER UPLOADED SHELL ON eBAY SERVER (UNPATCHED)
A critical security flaw in the eBay website for its employees could allow an attacker to upload a backdoor shell, claimed a security researcher, Jordan Jones who have unearthed the vulnerability.

Security researcher, Jordan Jones claims and tweeted from his account that he already reported the critical flaw to eBay, along with a proof-of-concept screenshot which shows that he has successfully uploaded a 'shell.php' file (as shown), a PHP script that allows the attacker to control the server - essentially a backdoor program.
ebay shell
At the time of writing, we confirmed that the file ‘shell.php’ is available on the Ebay server at given location: "https://dsl.ebay.com/wp-includes/Text/Diff/Engine/shell.php", but modified to a blank file.

In a blog post, Jordan has also reported about a cross site scripting vulnerability in the eBay Research Labs page (labs.ebay.com).

PERSISTENT XSS VULNERABILITY ON eBAY (UNPATCHED)
Michael E., another security researcher from Germany reported The Hacker News that he found a Persistent Cross-Site Scripting (XSS) vulnerability on eBay’s auction pages that allowed him to inject arbitrary HTML and Javascript code into the eBay website.

Each time a user visits any infected auction page created by the attacker, the reported persistent XSS vulnerability will execute the unauthorized Javascript code on the users’ browser with a payload to steal their account cookies, in an effort to hijack the user’s account.
ebay xss
Anyone with an appropriate technical knowledge can create an auction page with malicious javascript, as shown in a proof-of-concept link created by the Michael.
http://www.ebay.de/itm/script-script-alert-1-script-x-onfocus-alert-1-autofocus-onl-/281257333177
COOKIE RE-USE VULNERABILITY (UNPATCHED)
In a separate experiment, we have discovered that eBay accepts the same login cookies again and again, even if the victims have logged out or reset their passwords.

Which means by using Michael’s persistent XSS vulnerability, one can steal eBay users’ account cookies in order to get an unauthorized access to the users’ respective accounts, without knowing their previous or updated passwords.

ACCOUNT HIJACKING VULNERABILITY (CRITICAL AND  UNPATCHED)
An Egyptian security researcher ‘Yasser H. Ali’ informed The Hacker News about another critical vulnerability on the eBay website, that can seriously allow an attacker to hijack millions of user accounts in bulk and this exploit could be very successful in the targeted attacks.

For now we are keeping technical details of this vulnerability hidden from our readers, Sorry; because it has not been yet addressed by the eBay security team. But last evening, as a proof of concept Mr.Yasser privately demonstrated the vulnerability step-by-step to ‘The Hacker News’ team and we confirm - IT WORKS. We promise to share the technical details of this interesting flaw, once eBay team will patch it.

eBAY #FAILURE
eBay failed badly to protect its 145 million customers’ sensitive data from the previous data breach and yet has not learned any lesson. There are few points, we would like to highlight about eBay’s passive behaviour towards users’ security.

Two months ago hackers stole a database full of eBay users’ information, including customer names, account passwords, email addresses, physical addresses, phone numbers and birth dates, that can be passed on to other criminals. Such sensitive information could be used by a potential hacker to gather more details about the users by sending spam messages and phishing mails, that could lead to problems with identity fraud.

When companies are hacked, alerting customers is usually the first thing. But according to the media reports, even after 30 hours - eBay hasn't emailed all of its users to notify them that they must change their passwords. Also the company has also not made clear how many people were affected in the latest data breach.

According to a separate news on Daily maileBay could be fined £500,000 for breach of its data 18 million Britain users. The penalty can be imposed by the Information Commissioner's Office, ‘would amount to just 2p for each of the and 0.00002 per cent of the company's global annual turnover.’ BAD LUCK!

APPEAL TO eBAY
All the above listed vulnerabilities have been reported to the eBay Security team by each researcher, and we hope someone from eBay security team will definitely read this article to understand the threats they could face from malicious hackers.

eBay should be more concern about the security of its users and protective towards its users’ privacy, as the company is responsible for the hundreds of millions of users if it fails at any point.

Please share this article to aware as maximum users as you can.

No comments:

Post a Comment