The eBay website suffered from a critical XSS vulnerability, which has now been patched, but accusations are flying that the auction giant reacted very slowly to deal with the threat.
In fact, as ZDNet reports, apparently eBay only moved to address the cross-site scripting flaw when the media discovered the issue, and therefore it became a bigger danger in terms of bad publicity.
The security hole involved the eBay.com domain and was highlighted by a security researcher going by the name of ‘MLT’, who in a blog post on the issue described it as a “fairly basic vulnerability”.
The researcher detailed how the flaw could be used by an attacker to inject an iframe containing a fake phishing login page to the eBay site – a visitor would attempt to login to the malicious page (at eBay.com), and obviously that login would fail, but the attacker could in theory then steal the victim’s login details.
And all sorts of nastiness would subsequently follow, obviously enough…
MLT said he contacted eBay about the vulnerability but waited a month with no response, and it was only quickly fixed when the media got in touch concerning the security hole. In his blog post, he said he wanted to “highlight how little these companies actually care (until they run the risk of being publicly exposed)”.
ZDNet asked eBay for a comment, and the company did indeed acknowledge that they received the researcher’s initial message on December 11, but then noted it responded the next day, and the researcher replied with a different email alias which “resulted in a bit of miscommunication” and the delay in applying the fix.
Given how serious this problem was though, you’d have hoped that no matter what “miscommunication” was occurring, eBay would be immediately looking into the reported flaw itself and seeing there was definitely an issue here which needed a fast response.
Meanwhile, who knows how many eBay users could have been affected by this in recent times…
- Also check out: The Dukes of Hacking attack the West