eBay patches two critical security flaws on US website
Posted on 26 November 2012.
Two critical vulnerabilities in eBay's US website (ebay.com) have been closed by the company, preventing attackers from accessing and modifying one of its databases as well as steal eBay users' login credentials, reports The H Security.

The SQL injection vulnerability was discovered by researcher David Vieira-Kurz while "hunting on eBayís subdomains." He discovered a vulnerable parameter on the sea.ebay.com/news.php page that could allow attackers to access, read, and modify an eBay SQL database without authorization.

According to his blog post, Vieira-Kurz shared details about the vulnerability with the company's security team, and they fixed the flaw 20 days later.

The XSS flaw was first spotted by Indian security researcher Shubham Upadhyay, then shared with XSSed readers.

The attackers would only have to create a seller account, log into it, and post product listings containing malicious scripts. The unaware buyers who would land on those booby-trapped pages would then be hit with redirections to bogus login pages and exploits, which would ultimately lead to having their accounts compromised and plundered.

eBay has confirmed that the vulnerability has been patched, and mentioned that although they automatically scan for XSS vulnerabilities in user generated content, false positives and negatives do occur sometimes.






Spotlight

USBdriveby: Compromising computers with a $20 microcontroller

Posted on 19 December 2014.  |  Security researcher Samy Kamkar has devised a fast and easy way to compromise an unlocked computer and open a backdoor on it: a simple and cheap ($20) pre-programmed Teensy microcontroller.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Fri, Dec 19th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //