Vulnerabilities on EBay.co.uk may Attract Cyber Criminals

A security researcher, nicknamed "Methodman" highlighted certain severe security flaws affecting website Ebay.co.uk, as reported by xssed.com on April 3, 2009.

The first in the list is cross-site scripting vulnerability, cropping up from inferior security validation which can inject malicious code into the webpage. Cyber criminals can use this to inject JavaScript so as to redirect users to eBay scam pages and thus, tricking them into phishing.

Scammers can exploit this very JavaScript code to spread malware by means of clickjacking. Clickjacking is a malicious way to dodge web users into disclosing their sensitive information or at certain instances, to gain access over user's system while visiting an apparently safe webpage, stated Methodman.

Secondly, this aforementioned flaw can also be exploited to steal session cookies that means if a scammer is able to obtain tiny strips of data, stored on users' web browser containing users' settings, he (scammer) can act as the genuine user and can perform online transactions in the name of that user.

Moreover, attacker can also abuse a "directory traversal" vulnerability arising due to inadequate security validation, i.e. refining of user-supplied input. Giving the details of this particular vulnerability, Methodman stated that attackers use this attack to go through the files on the Internet servers like password files and SSL private keys.

Methodman partly marked the links of vulnerable webpages in the screenshots furnished by it to eBay in order to clarify to the site which webpages are problematic and can be exploited to launch malware attacks.

Breaking the silence, eBay's spokesperson said that the susceptible webpages talked of by Methodman were not containing any confidential information, as reported by SOFTPEDIA on April 4, 2009.

The Spokesperson also added that the eBay sites were occasionally expected to be vulnerable, so they were not exposed to eBay's full-production servers and data unless and until their compliance with eBay's stiff security standards are thoroughly examined. Continuing further, the spokesperson said that due ample vigilance and caution of eBay, it could be firmed that none of the users' information had been compromised.

Related article: Vulnerabilities in Web Applications Invite Hackers’ Activities

» SPAMfighter News - 4/10/2009