Email This Post Email This Post

eBay Fixes Vulnerability, According to Report

A security researcher reported a vulnerability to eBay in June, according to the Kaspersky Labs news publication ThreatPost.

The researcher, Aditya Sood, told ThreatPost eBay fixed the bug in August.

“There was a cross-site scripting vulnerability in an eBay domain that could have allowed an attacker to steal users’ session cookies and take over their accounts,” it wrote. “The vulnerability existed on an eBay subdomain, svcs.ebay.com, and Sood said it specifically was in the SMS gateway on the page.”

Earlier this year, Sood had reported another security vulnerability – ThreatPost said he had found a file upload and a patch disclosure vulnerability on an eBay site in March.

Last fall, the BBC reported extensively on cross-site scripting (XSS) vulnerabilities on eBay UK thanks to its policy that allows the use of active content on its marketplace, including Java Script, Flash, links, videos and pictures. At the time, eBay’s Vice President of Global Managed Marketplace published a notice on the eBay UK announcement board, stating, “After a recent review of our processes and policies, we believe the benefits of allowing active content to our customers outweigh the extremely low likelihood of being exposed to them.”

Sponsored Link

 

Ina Steiner on EmailIna Steiner on LinkedinIna Steiner on Twitter
Ina Steiner
Ina Steiner
Ina Steiner is co-founder and Editor of EcommerceBytes and has been reporting on ecommerce since 1999. She's a widely cited authority on marketplace selling and is author of "Turn eBay Data Into Dollars" (McGraw-Hill 2006). Her blog was featured in the book, "Blogging Heroes" (Wiley 2008). Follow her on Twitter at @ecommercebytes and send news tips to ina@ecommercebytes.com.