Till now may eBay have not overcome with the latest cyber attacks that it suffered last two days before and now another bad day arrives for eBay Inc. Yesterday eBay have admitted that the breach of its one database makes the compromised of the 145 million users details and urged its users to change the password.
Account Hijacking Vulnerability
According to a separate news on Daily mail, eBay could be fined £500,000 for breach of its data 18 million Britain users. The penalty can be imposed by the Information Commissioner's Office, ‘would amount to just 2p for each of the and 0.00002 per cent of the company's global annual turnover.’ BAD LUCK!
Source:- THN
Changing Password is Enough ??
As eBay notified its users to change their password but what makes if change of password, and making a complex (10-15 character long) password won't make your data secure. Yeah.. the same, happens here also. Changing password and making it complex won't work until and unless the organisation infrastructure is secure. Many times a organisation Vulnerable system or other infrastructure gives the invitation to cyber hackers.
Today, three of the security researcher have reported a critical vulnerability on eBay, which leave 145 million users vulnerable.
Uploaded a Backdoor Shell on eBay Server
A researcher named as Jordan Jones, have discovered a vulnerability that allowed him to upload a backdoor shell on the eBay server.
Jordan have claims and tweeted that he had managed to gain the backdoor access of the into the eBay server with the backdoor web PHP shell. Researcher have reported the vulnerability to eBay, and also given the screenshot of the backdoor as a Proof-of-Concept. With this backdoor researcher have full control over eBay's server and can also gain a root access on to the server after the successful exploit of the server.
The backdoor was available on the following directory "https://dsl.ebay.com/wp-includes/Text/Diff/Engine/shell.php" but modified to a blank file.
Along with this, Jordan have also found a cross site scripting vulnerability in the eBay Research Labs page (labs.ebay.com), report on blog post.
Cross-Site Scripting (XSS) Vulnerability on eBay (Persistent XSS)
Another security researcher from Germany named as "Michael E." have found more Cross Site Scripiting (XSS) vulnerability on eBay’s auction pages that allowed him to inject arbitrary HTML and Javascript code into the eBay website.
Researcher explains the vulnerability as -
Each time a user visits any infected auction page created by the attacker, the reported persistent XSS vulnerability will execute the unauthorized Javascript code on the users’ browser with a payload to steal their account cookies, in an effort to hijack the user’s account.Michael have demostrated the vulnerability "http://www.ebay.de/itm/script-script-alert-1-script-x-onfocus-alert-1-autofocus-onl-/281257333177" and says that any one can create an auction page with malicious javascript.
Moreover THN group have also discussed that, eBay accepts the same cookies to log-in in the users account even if user logout from its account or change the password. This means with the Michael XSS vulnerability, cookies stolen by the attacker can be used in future, even if users have changed its password.
One more Vulnerability have been reported by the Egyptian Security researcher "Yasser H. Ali" on eBay's site. The Vulnerability discovered by Yasser allow an attacker to hijack millions of user accounts in bulk and this exploit could be very successful in the targeted attacks.
Note:- All the above discussed vulnerability is UNPATCH and its risk severity is HIGH. For some of the security measure, researcher and we cannot discuss the vulnerability process, untill eBay security team patch the Vulnerability.
Hope now you have got that how much eBay is secure. May this only the demonstration, may more is there to come. So Security breach not happens from users side, mostly the organisation weak modules lead to suffer its users.
Hope now with all these hack eBay will get their backbone tight and will seriously makes the improvement on the infrastructure. Now eBay's team will also work on its security and start finding flaws into there own system
Source:- THN