Members Login
    Remember Me  
Post Info TOPIC: eBay: Security exposé

Top Poster

Status: Offline
Posts: 3757
eBay: Security exposé

eBay: Security exposé

 ^ this blog deals with the xsrf flaw which has gone uncorrected 3 years now. (also the perennial cookie handling flaw) Ebay has failed to respond the issue (reborn/resurfaced for 3 full months plus,) but as always, the comedy act of ebay's bungling buffoons shines through...


The Responsible Disclosure.

As you know, I contacted eBay on the 5th of August - and received a response almost immediately.

Dear Researcher,
Please note that we do not accept screenshots from external links. If you could send us the screenshots over email, that would be great.
eBay Security Research

eBay don't provide an option to upload any supporting evidence... so of course it's going to be from an external link!  Good start!

I replied on the 6th... providing imagery and a proof of concept video to demonstrate the exploit.  On the 7th, I received another response...

We are now forwarding your report to our team of engineers and will let you know when this vulnerability has been resolved.

On the 12th...

Thank you again for your report. Our engineers are unable to reproduce this issue without more information from you. Would you please provide an HTML PoC for the CSRF vulnerability that you presented us?

That's right... they want me to send them THEIR OWN CODE. So I literally copied/pasted their form into an email and sent it back.

Cut to the 2nd of September... I sent an email to chase the issue.

5th September...

We do not provide updates until the vulnerability has been repaired, and our engineers have not yet indicated that this issue is resolved, so we are asking for your patience.

Security researchers face difficult choices when it comes to publishing this type of material.  Some choose to publish it immediately which personally, I don't agree with.  Others contact the vendor first and wait for a response... but opinions vary on how long we should wait before raising awareness with the public.  The SANS Institute recommends 30 days, others suggest 14 days... with Google raising the bar at just 7 days.

eBay take a different route; asking security researchers to wait for a response indefinitely and not to share the details with anyone else until it's resolved.  The lack of SSL encryption means it's essentially already in the public domain!  The threat of a "private action" or "public inquiry" for failure to adhere to the terms is unconscionable; a responsible, security-concious firm would never set such ludicrous criteria.

We're now the 16th of September... a massive 43 days after the initial report was sent over; and I'm still none the wiser.




Exposing the sleazery of ebaY and PayPal


Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Tweet this page Post to Digg Post to

Create your own FREE Forum
Report Abuse
Powered by ActiveBoard