03.14
Summary
In mid-2012 I discovered and reported a combination of CSRF and
persistent XSS on my.ebay.com
. This report was quickly acknowledged by
eBay but the vulnerabilities have not been fixed almost a year after the
initial disclosure. To mitigate the potential risk, I would recommend
that users log out of their eBay accounts when browsing other websites.
Details
The my.ebay.com
website has a section in the left sidebar called
“Shortcuts.” These shortcuts, by default, are pre-defined links to
sections of eBay. It is possible for a user to edit the list of
shortcuts and to add their own, pointing to arbitrary URLs.
I reported two distinct but related vulnerabilities to eBay:
- It is possible to create a shortcut that will execute JavaScript
when clicked on by writing a somewhat convoluted JavaScript URL: the
example I used was
javascript://%0D%0Aalert(document.domain);
. A URL in this format allows me to evade eBay’s filters but still have JavaScript execute in the latest versions of Firefox, Chrome, and IE. A slightly more detailed explanation of how this URL works can be found at http://sla.ckers.org/forum/read.php?2,13209,page=1#msg-13248. - The endpoints that eBay uses to add a shortcut and to remove existing shortcuts are vulnerable to a CSRF attack.
Taken together, these vulnerabilities allow me to create a shortcut on a logged-in eBay user’s account that, when clicked, executes JavaScript.
Because the vulnerabilities remain unpatched I will not be publishing the proof of concept code that I sent to eBay.
Disclosure Timeline
- May 11th, 2012, 11:56 AM: Submitted details of vulnerability via “Security Researchers” form.
- May 11th, 2012, 3:12 PM: Reply from eBay. Report acknowledged, details forwarded to engineering team.
- May 23rd, 2012: Sent followup asking for any updates.
- May 24th, 2012, 5:09 PM: Asked to provide more details (screenshot, more explicit steps to reproduce) to assist in reproducing the issue.
- May 24th, 2012, 5:23 PM: Sent reply containing screenshot and more explicit steps to reproduce the issue.
- June 9th, 2012: Sent followup asking for any updates.
- June 11th, 2012: According to eBay’s responsible disclosure guidelines, this issue may be discussed publicly (“Allow us a reasonable amount of time (at least 30 days from when we receive your disclosure under this process to respond to the issue before disclosing it to others”).
- June 12th, 2012: Reply received from eBay: “Not yet. We’ll let you know when this is resolved.”
- February 8th, 2013: Sent followup asking for any updates. Advised eBay of plans to publish details of the vulnerability within a week.
- February 11th, 2013, 4:19 PM: Received reply from eBay. Asked to adhere to their responsible disclosure guidelines and not to disclose the details of the issue until it has been fixed. Offered “to send [me] some eBay branded gifts and acknowledge [me] on [their] Security Researcher’s Acknowledgment page once this vulnerability is fixed”.
- February 11th, 2013, 4:31 PM: Reply sent. Pointed out that responsible disclosure guidelines do not preclude me from talking about an issue that was reported 8+ months prior. Agreed to hold off discussing the issue until March 14th.
- February 11th, 2013, 5:12 PM: Received acknowledgement of reply.
- February 15th, 2013: Received “eBay branded gifts” in mail.
- March 14th, 2013, 4:50 PM: Confirmed vulnerabilities remain unpatched. Published blog post. Contacted eBay to inform them about the post.
- March 14th, 2013, 10:19 PM: Reply from eBay indicating vulnerability is patched. Confirmed that some vulnerable functionality (ability to define shortcuts with arbitrary URLs) has been removed.
Note: I have replaced a link in the Disclosure Timeline with a link to the Internet Archive’s version of the same page. eBay decided to silently change its responsible disclosure guidelines between February 11th and March 14th.
The original text of their “guidelines for responsible disclosure”:
- Share the security issue with us before making it public on message boards, mailing lists, and other forums.
- Allow us a reasonable amount of time (at least 30 days from when we receive your disclosure under this process to respond to the issue before disclosing it to others.
- Provide full details of the security issue, including Proof-of-Concept URL and the details of the system where the tests were conducted.
The new text:
- Share the security issue with us before making it public on message boards, mailing lists, and other forums.
- We request that you wait until notified that the vulnerability has been resolved before disclosing it to others. We take the security of our customers very seriously, however some vulnerabilities take longer than others to resolve. There are several teams involved in working on these vulnerabilities depending on which site has the vulnerability and what function is being exploited.
- Provide full details of the security issue, including Proof-of-Concept URL and the details of the system where the tests were conducted.
Because I disclosed this issue to eBay prior to the changes to the policy, I will be leaving this post public.
Note 2: I received the following email from eBay:
Hi Neal,
We thank you for your work and your dedication to keeping the eBay community secure. We prefer that security-related information is always kept confidential. The technical teams verified the fix is working in production. Please verify.
eBay Security Research
The functionality for creating a new shortcut to an arbitrary URL appears to have been entirely removed from the site. That means there is no way to introduce a persistent XSS payload to the site. The rest of the vulnerability (the CSRF which controls which shortcuts are displayed) still functions, but is no more than a minor annoyance.
The disclosure timeline has been updated to reflect these developments.