Latest eBay flaw is a rookie mistake for a website
By Tony Bradley, PCWorldMay 29, 2014 2:33 pm PDT
When it rains it pours for eBay. Less than a week after the popular website revealed it was the victim of a massive data breach and directed users to change their passwords, researchers have discovered that it is vulnerable to serious flaws that could allow an attacker to access user accounts. Individuals need to know how to guard against falling victim to these security issues, and other businesses need to learn from eBay’s mistakes and do a better job of protecting resources on the Web.
The flaw in question is a cross-site scripting (XSS) vulnerability discovered by a 19-year-old college student in the United Kingdom. An XSS flaw can allow an attacker to inject malicious code into an otherwise legitimate website. The attacker can intercept a user’s session cookie enabling them to gain access to the user’s account and interact with the site as that user.
“Cross-Site Scripting (XSS) vulnerabilities are fairly common web application bugs that have been well understood by security professionals for a very long time,” says Tom Cross, director of security research for Lancope. “They can have significant consequences as they can be leveraged by attackers to gain access to victim’s accounts.”
eBay is not the first major website to leave its site exposed to a cross-site scripting vulnerability. CNN and PayPal have also made this mistake. Though XSS vulnerabilities are common, there are tools and techniques available to test for them so they can be resolved before the code is used on a live website.
“Any organization that runs a website should be testing their code for these vulnerabilities before they go into production,” Cross said. “In addition, web application firewalls can often detect and block attacks on XSS vulnerabilities.”
You should also make sure you keep your operating system and applications patched to minimize exposure from known vulnerabilities and run up-to-date security software to prevent malicious code from executing on your system.