Explore the latest news and trends  

Sign up for our weekly security newsletter

Be the first to receive important updates on security


ebay Flaw could Let Attackers Phish Off Users’ Credentials

A hacker going by the handle MLT has discovered a cross-site scripting flaw affecting the chief domain of eBay namely ebay.com. The bug could be used for any ordinary assault which would let a cyber-criminal add distinctive parameters to a URL's suffix while initiate ebay.com to run malware inside the end-user's Web-browser.

MLT explains that since ebay.com has the HttpOnly label configured on it, attackers would not succeed in filching user cookies through the exploitation of the bug; yet, that does not mean Web-surfers would be safeguarded from other related assaults of more complication kinds.

The past week, MLT showed in what manner the flaw was used. For that, he embedded one web-link connecting onto certain phishing page inside the routine URL of eBay, such that the page appeared as eBay's login page, but really was a fake. And while the page appeared quite really as eBay's original page for logging in, the URL was different.

Moreover, once username and password were entered into this spoofed page followed with pressing OK, an error appeared on it, but by this time, MLT grabbed the login details. The spoofed site was crafted with the help of the XSS vulnerability.

Evidently, by dispatching the phishing web-link through spam messages either on social media or through e-mail client it could let the hacker garner as many users' passwords as possible provided they opened it followed with validating the same on the website. Softpedia posted this, January 12, 2016.

Meanwhile, the false login page is disguised with the aid of a JavaScript code inserted into it. This would automatically divert the end-users onto one true eBay page while the spoofed page would fade away immediately following the credentials' theft.

Further, according to MLT, he informed eBay about the bug, and the company fixed it. As per certain issues, which MLT cites emerged at the time of disclosure; it got revealed how eBay hastened towards rectifying the flaw.

MLT in an interview to Motherboard indicated that eBay released a patch for the flaw evident from certain tests. Afterwards eBay substantiated the patch's availability in its own interaction with Motherboard.

» SPAMfighter News - 1/20/2016

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page