Password Change Not Enough

Just days after eBay told everyone to change their passwords because their database was breached, new security issues have arisen.  Having a new eBay password is not going to protect you from these security problems as hackers take advantage of any security holes they find.

eBay’s Security Breach

On Thursday eBay admitted that they had a massive security breach that affected 145 million users. eBay urged their millions of users to change passwords, but was that enough? Security professionals are saying eBay’s breach happened mainly because of their vulnerable infrastructure, not weak passwords.

 eBay’s Worst Day

eBay’s day just went from bad to worst. Three Security professionals have just reported three more critical security flaws in eBay’s website. These flaws leave all 145 million users open to hackers.

Hacker Uploaded PHP Shell on eBay Server

Security researcher, Jordan Jones claims and tweeted from his account that he already reported the critical flaw to eBay, along with a proof-of-concept screenshot which shows that he has successfully uploaded a ‘shell.php’ file, a PHP script that allows the attacker to control the server – essentially a backdoor program.

In a blog post, Jordan has also reported about a cross site scripting vulnerability in the eBay Research Labs page (labs.ebay.com).

Persistent XSS Vulnerability on eBay

Michael E., another security researcher from Germany reported to The Hacker News that he found a Persistent Cross-Site Scripting (XSS) vulnerability on eBay’s auction pages that allowed him to inject arbitrary HTML and Javascript code into the eBay website.

Each time a user visits any infected auction page created by the attacker, the reported persistent XSS vulnerability will execute the unauthorized Javascript code on the users’ browser with a payload to steal their account cookies, in an effort to hijack the user’s account.

Cookie Re-use Vulnerability

In a separate experiment The Hacker News discovered that eBay accepts the same login cookies again and again, even if users have logged out or changed their passwords.

Which means by using Michael’s persistent XSS vulnerability, one can steal eBay users’ account cookies in order to get an unauthorized access to the users’ respective accounts, without knowing their previous or updated passwords.

 eBay #Fail

Get it together eBay, I have accounts on your site!

Thanks to The Hacker News for the updates!