For many years, eBay has been one of the bigger targets for phishers and many other kinds of attackers and they have been honing their tactics and improving them along the way. Much of their effectiveness depends on convincing users that they’re on the real eBay site and the site recently fixed a vulnerability that could have made that process much easier.
The site had a reflected file download vulnerability that an attacker could use to trick victims into believing that they were downloading a file from a legitimate eBay domain. In some browsers, including Internet Explorer 8 and 9, the attack is possible by just having the user load the malicious URL. On other browsers the attacker would have to force the user to download the file.
Researcher David Sopas discovered the vulnerability and reported it to eBay mid-March. The company eventually rolled out a fix for the bug earlier this week. This kind of vulnerability isn’t as common or well-known as cross-site scripting or cross-site request forgery, but can be just as dangerous in the right circumstances.
“What if malicious users could improve their phishing campaigns on eBay? What if malicious pages linked eBay to download malicious files and infect users?” Sopas said in an advisory explaining the vulnerability
“When using eBay and inspecting it’s requests I noticed a call to a JSON file that made me wonder a bit about a security vulnerability – Reflected Filename Download.”
Sopas, a researcher at WebSegura in Portugal, has discovered similar vulnerabilities in services from Facebook and Instagram in recent months.
To the victim the entire process looked like a file was offered for download by eBay trusted domain and it would not raise any suspicious. A malicious user could gain total control over a victims computer and launch multiple attacks,” Sopas said.
Sopas said that attacks against these vulnerabilities are relatively simple to carry out, though finding the bugs themselves is more difficult.
“Pretty easy to implement but not easy to find. RFD attacks are still very common and many companies are not aware of it’s real danger,” he said by email.
“The victim always thinks that the source file is on the trusted site.”