Spokesperson Ryan Moore confirmed eBay has fixed a pair of security vulnerabilities described in ThreatPost. Moore told EcommerceBytes on Tuesday they’d been addressed and fixed.
Security software firm Kaspersky Lab publishes ThreatPost, which has a reporters covering security issues. The editor communicated with Aditya Sood, a researcher who had discovered the vulnerabilities along with Rohit Bansal.
The first bug resulted from the failure of an eBay page to check the headers of image files uploaded by users.
The second bug was the result of eBay’s server returning a message with the exact file path after a user uploaded a file successfully. Sood told ThreatPost, “The attacker can upload malicious exe file camouflaged as image files and then use the URL in drive by download attacks.”
More details about how the vulnerabilities were exploitable are found on ThreatPost.