Another Cross-Site Scripting Vulnerability On eBay Domain Sites Allows Phishing
According to XSSed report, eBay is vulnerable to cross-site scripting (XSS) that might be abused by scammers in order to take advantage of eBay users account. JavaScript code injection can redirect users to fake phishing pages where users are asked to login to their account. Victims who click on what appears to be a genuine eBay search results are also vulnerable to malware infection.
Among affected domains there are:
motors.desc.shop.ebay.com
shop.ebay.com
search.express.ebay.com
motors.shop.ebay.com
Last years cross-site scripting vulnerability on eBay could trick people into handing over their personal information to scammers. eBay promptly patched the flaw, but experts wondered how long the fix can hold. Previous flaw was exactly the same and allowed a scammer to use this type of attack to redirect people from an eBay listing to a spoofed eBay site. A year ago experts said that hackers can easily modify JavaScript code to once again trigger the same behavior and it seems they were right.
Here is the vulnerability example from XSSed:
<SCRIPT>if (top == window)location.href =’http://www.any-domain.com’</SCRIPT>
The XSS issues were submitted to XSSed by S_e_YM_e_N, Azat Harutyunyan, www.r3t.n3t.nl and Uber0n.
The vulnerability was already reported to eBay but currently remains unfixed.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.