An independent security advisor claims that eBay was slow to react after being warned of an existing XSS security vulnerability that could have left millions of customers potentially victims to data theft or phishing campaigns.
The flaw was discovered and notification was passed to Ebay by an independent security advisor nicknamed MLT. However, MLT claims that ebay ignored this warning of the potentially serious XSS vulnerability until the main stream press became aware and began to ask questions.
The way the cross site script (XSS) vulnerability worked was that it allowed a malicious person to inject his or her own ebay page into the site via an iFrame. As demonstrated on MLT’s blog, MLT was able to inject a fake login page within the ebay doman URL, which looked to all as a genuine eBay page. The page of course returned an error when customers attempted to login in but not before MLT was able to potentially capture their login credentials in clear text.
MLT commented that, "this is a fairly basic vulnerability (no WAF bypass or anything of that sort required) on a site where XSS would generally be considered a huge issue (even more so since the main domain is involved),"
However, he was far more concerned with eBay’s lack of response, claiming that the web giant did not respond to his notification for a month. While the problem is now fixed, MLT said, "they only rushed to patch the vulnerability after the media contacted them about it."
In a statement, an eBay spokesperson told ZDNet in their defence: "We did indeed receive the researcher's submission on the 11th of December, and did respond to the initial email address that he submitted the report to on the 12th.
"However, he followed up with a different email alias, which resulted in a bit of miscommunication. We have since been in contact with the researcher and have fixed them."