When it rains it pours for eBay. Less than a week after the popular website revealed it was the victim of a massive data breach and directed users to change their passwords, researchers have discovered that it is vulnerable to serious flaws that could allow an attacker to access user accounts. Individuals need to know how to guard against falling victim to these security issues, and other businesses need to learn from eBay’s mistakes and do a better job of protecting resources on the Web.
The flaw in question is a cross-site scripting (XSS) vulnerability discovered by a 19-year-old college student in the United Kingdom. An XSS flaw can allow an attacker to inject malicious code into an otherwise legitimate website. The attacker can intercept a user’s session cookie enabling them to gain access to the user’s account and interact with the site as that user.
Jordan Lee Jones A U.K. based security researcher showed how eBay is vulnerable to a cross-site scripting attack that could potentially be used to hijack user accounts.
“Cross-Site Scripting (XSS) vulnerabilities are fairly common web application bugs that have been well understood by security professionals for a very long time,” says Tom Cross, director of security research for Lancope. “They can have significant consequences as they can be leveraged by attackers to gain access to victim’s accounts.”
eBay is not the first major website to leave its site exposed to a cross-site scripting vulnerability. CNN and PayPal have also made this mistake. Though XSS vulnerabilities are common, there are tools and techniques available to test for them so they can be resolved before the code is used on a live website.
“Any organization that runs a website should be testing their code for these vulnerabilities before they go into production,” Cross said. “In addition, web application firewalls can often detect and block attacks on XSS vulnerabilities.”
As far as individual users go, there are a few ways you can guard against cross-site scripting attacks. For starters, disable JavaScript, or at least restrict it so that JavaScript can only run from trusted domains. You can also use browser plugins like NoScript for Firefox or configure the Security Zones in Internet Explorer to whitelist trusted sites and only allow scripts to run from those sites.
You should also make sure you keep your operating system and applications patched to minimize exposure from known vulnerabilities and run up-to-date security software to prevent malicious code from executing on your system.