The dreaded XSRF cross site request forgery exploit is still uncorrected on ebaY. That means extreme risk to both ebay and Paypal users.




Let’s begin way back in 1999. This phylum of flaws (cross-site/scripting) has existed on ebay since before there were terms coined for it. I produced a quick & dirty video outlining not only that, but how ebay sought to make a public relations play by announcing the removal of sellers’ ability to use active scripting elements in the user generated content of ebay listings, then quietly reversed the decision, and buried that news on a backwater blog. You can cut to the quick  by clicking the more info area of the video and following the links.


Moving forward.


We blogged this vulnerability back in September. Yet if you follow the links there, you see the flaw actually existed for 3 years.



Now to the present day…

From Threatpost:

I’ve given up asking eBay. The intention now is to raise awareness with as many people as possible,” Moore said via email. “The addition of one-click payments via Paypal mean it’s now more urgent than ever, as attackers can use linked Paypal accounts to purchase goods, even without knowing the user’s Paypal username or password.  With the initial exploit being carried out by the affected user’s PC, it’d be difficult to disprove they weren’t responsible for any action which followed.”

Moore’s initial communication to eBay was Aug. 5 and the last Nov. 16, reporting again that the site remains vulnerable to cross-site request forgery (XSRF) despite eBay’s insistence the issue was resolved. His exploit allows an attacker to change the victim’s contact information, including address and phone number, and then use a loophole in the password reset process to redirect the reset to the contact information entered by the attacker.

“Absolutely nothing has changed.  There are no CSRF tokens in the headers, DOM or cookie jar,  so the original exploit from four and a half months ago still works,” Moore said, adding that another software engineer, Scott Helme, tested the exploit and his account details were changed so that Moore could have logged in as his friend.



True to form


ebay took the opportunity to jump on the recent  Target Stores data leaks story to serve up a huge punchbowl cauldron of sleazebay PR flavored Kool-Aid, while completely ignoring their very own issues. Hilarious!





Do you trust ebaY and Paypal?