EBay is vulnerable to a hack that would allow an attacker to hijack an account and make unauthorized purchases from the victim’s account that would be difficult to disprove.
The vulnerability was discovered and reported to eBay in August, and despite three separate communications from the online auction and marketplace that the code in question was repaired, the site remains susceptible to exploit.
U.K. consultant Paul Moore of Cresona Corp., the same researcher who reported a serious issue with the Santander Group online and mobile banking applications, found the vulnerability and submitted details to eBay nearly five months ago. Threatpost requested comment from eBay on Tuesday, but that email was not answered.
“I’ve given up asking eBay. The intention now is to raise awareness with as many people as possible,” Moore said via email. “The addition of one-click payments via Paypal mean it’s now more urgent than ever, as attackers can use linked Paypal accounts to purchase goods, even without knowing the user’s Paypal username or password. With the initial exploit being carried out by the affected user’s PC, it’d be difficult to disprove they weren’t responsible for any action which followed.”
Moore’s initial communication to eBay was Aug. 5 and the last Nov. 16, reporting again that the site remains vulnerable to cross-site request forgery (XSRF) despite eBay’s insistence the issue was resolved. His exploit allows an attacker to change the victim’s contact information, including address and phone number, and then use a loophole in the password reset process to redirect the reset to the contact information entered by the attacker.
“Absolutely nothing has changed. There are no CSRF tokens in the headers, DOM or cookie jar, so the original exploit from four and a half months ago still works,” Moore said, adding that another software engineer, Scott Helme, tested the exploit and his account details were changed so that Moore could have logged in as his friend.
Moore’s exploit does not require local access to work. A victim would just need to be lured to a website hosting the exploit via a link on eBay or social media, or in an email; Moore’s hack looks for an active eBay session, otherwise it fails.
If the victim does have an open eBay session, Moore’s attack, called XSRF Router, exploits the XSRF vulnerability and delivers a payload that changes the user’s address, zip code and phone number in order to request a password reset without ever needing the user’s original log-in credentials. Cross-site request forgery attacks exploit the trust a website has in a user’s browser, which stores cookies in order to verify a user’s identity and maintain a log-in. EBay’s profile update form lacks a particular field that when paired with an active cookie makes it vulnerable to XSRF, Moore said.
“Without an XSRF token (which ensures the genuine site delivered the form by linking a unique token with you personally), the form is no different to any other on the web,” Moore said. “As such, it can be pre-populated and submitted by anyone. If you happen to be logged in at the time, your profile can be updated simply by visiting another web site.”
The key for the attacker is the password reset. The reset form asks the user two answer two of three fields: the secret question, zip code and phone number. However, the password reset will still be sent to the victim and not the hacker; the key is to sneak in through a second help page that asks the user to enter a valid phone number where eBay will deliver a four-digit PIN enabling to the new number entered by the attacker via the exploit.
“The hacker submits a fake form which changes your contact telephone number, runs a password reset and waits for the phone to ring. Time required to hijack an account… [less than] 1 minute,” Moore wrote on his blog.
An attacker would not have legitimate access to the victim’s eBay account without ever having to steal the user’s original credentials. Once in, they could view a history of their eBay activity, create a similar listing from another phone account and buy it using the stolen account, Moore said, adding that if the victim’s PayPal is linked to a bank account, those funds could be quickly drained.
“It’s going to be very difficult to prove your innocence too. After all, the initial request came from your machine, you‘ve purchased something you were genuinely interested in, eBay recently contacted you on your telephone number and you‘ve left good feedback,” he said. “It’s highly likely that eBay have other security procedures in place but rest assured, the money will be long gone. You may get it back directly from eBay, but you’re going to struggle to explain how they managed to gain access to your account from your own PC.”