Ebay Pledges To Fix Security Flaw

eBay is working on a fix for a cross-site request forgery problem that could allow an attacker to change a user’s password and get access to that user’s account.

The vulnerability is one of several affecting eBay that were recently uncovered and shared with eWEEK by Nir Goldshlager, a researcher with Avnet Information Security Consulting. Among the vulnerabilities are cross-site scripting bugs in the eBay Live Help support page and eBay To Go, which the company fixed by validating user input. In addition, Goldshlager uncovered a blind SQL injection problem in the eBay donations Website.

All of the vulnerabilities have been patched except the CSRF (cross-site request forgery) flaw. According to Chad Greene, eBay’s senior manager of global information security, the company has pushed code to the core site to measure the impact of potential fixes for the CSRF problem on the user and will make a decision about how to address the situation in the next three weeks.

“The nature of CSRF means that there isn’t a single fix that can be applied in all cases and rolling out the wrong fix could break legitimate user functionality,” Greene told eWEEK in an e-mail.

According to Goldshlager, who demonstrated a proof-of-concept attack, the CSRF vulnerability can be exploited to ultimately get control of a user’s account.

“When the victim visits my malicious Website I can change his password … to any password I choose,” Goldshlager explained. “I can change the user’s password because I am in control of changing his primary phone and personal information details in his eBay account. An attacker can [also] change the secret question [and] answer with the cross-site request forgery vulnerability. Then he can renew the password of the user by using the ‘forget password’ mechanism.”

In an interview, Greene said users can report any security issues they find to eBay’s security center, and the site works with members of the research community to uncover any vulnerabilities.

“We work with many members of the security community as well as the security industry … we like to do community outreach and educate the user base,” Greene said.