eBay is working to patch a cross-site request forgery vulnerability recently uncovered by a security researcher. The Avnet researcher also discovered cross-site scripting and blind SQL injection bugs in eBay's online auction site, which eBay has fixed.
eBay is working on a fix for a cross-site request forgery problem
that could allow an attacker to change a user's password and get access to that
The vulnerability is one of several affecting eBay that were
recently uncovered and shared with eWEEK by Nir Goldshlager, a researcher with
Avnet Information Security Consulting. Among the vulnerabilities are cross-site
scripting bugs in the eBay Live Help support page and eBay To Go, which the company fixed by validating user input. In addition, Goldshlager
uncovered a blind SQL injection problem in the eBay donations Website.
All of the vulnerabilities have been patched except the CSRF
(cross-site request forgery) flaw. According to Chad Greene, eBay's senior
manager of global information security, the company has pushed code to the core
site to measure the impact of potential fixes for the CSRF problem on the user
and will make a decision about how to address the situation in the next three
"The nature of CSRF means that there isn't a single fix
that can be applied in all cases and rolling out the wrong fix could break
legitimate user functionality," Greene told eWEEK in an e-mail.
According to Goldshlager, who demonstrated a
proof-of-concept attack, the CSRF vulnerability can be exploited to
ultimately get control of a user's account.
"When the victim visits my malicious Website I can
change his password ... to any password I choose," Goldshlager explained. "I
can change the user's password because I am in control of changing his primary
phone and personal information details in his eBay account. An attacker can
[also] change the secret question [and] answer with the cross-site
request forgery vulnerability. Then he can renew the password of the user by
using the 'forget password' mechanism."
In an interview, Greene said users can report any security
issues they find to eBay's security center, and the site works with members of
the research community to uncover
"We work with many members of the security community as
well as the security industry ... we like to do community outreach and educate
the user base," Greene said.