Tag: ebay
2013
03.14

Summary

eBay has changed its responsible disclosure policy for security researchers. The older policy asked researchers to “Allow us a reasonable amount of time (at least 30 days from when we receive your disclosure under this process to respond to the issue before disclosing it to others.” The new policy asks researchers to “wait until notified that the vulnerability has been resolved before disclosing it to others.” This new policy means that eBay can ignore vulnerabilities reported by researchers with no repercussions.

Backstory

I just published a post about two security vulnerabilities I found in my.ebay.com. I first reported these vulnerabilities to eBay in May 2012. While I was never told when the vulnerabilities would be patched, eBay’s responsible disclosure policy provided the following guidelines:

  • Share the security issue with us before making it public on message boards, mailing lists, and other forums.
  • Allow us a reasonable amount of time (at least 30 days from when we receive your disclosure under this process to respond to the issue before disclosing it to others.
  • Provide full details of the security issue, including Proof-of-Concept URL and the details of the system where the tests were conducted.

You can see these guidelines in their original form thanks to the Internet Archive.

In February, I contacted eBay to try and figure out why the vulnerabilities had not been patched. I also informed them that, per their responsible disclosure policy, I was planning to publish the details of the vulnerabilities I had discovered. They sent me the following email back:

Hi Neal,

We thank you for your work and your dedication to keeping the eBay community secure. We ask that you wait until we’ve fixed the reported vulnerability before disclosure, as per our Guidelines for Responsible Disclosure. Although this issue has not been fixed, it is in the queue and scheduled to be fixed. As a token of appreciation, we would like to send you some eBay branded gifts and acknowledge you on our Security Researcher’s Acknowledgment page once this vulnerability is fixed. Please send us your address if you’d like us to send you a few eBay goodies.

Thanks,

eBay Security Research

At that point, their responsible disclosure policy was identical to the one I presented above. I sent back the following reply:

Hey,

Just to be clear, your guidelines for responsible disclosure say the following:

Allow us a reasonable amount of time (at least 30 days from when we receive your disclosure under this process to respond to the issue before disclosing it to others.”

This report was originally filed and acknowledged on May 11th, 2012. Over 30 days later (June 12th, 2012) I asked for an update and was told there was no update. It is now February 11th, 2013, many months beyond 30 days. Under your policy I am fully within my rights to disclose the issue to others without fear of reprisal.

As a courtesy I will hold off publishing details of this issue until March 14th, which is 31 days from today.

Best,
 Neal

And received a response from eBay:

Hi Neal,

We appreciate your patience in this process and your continuous support in keeping eBay secure. We will keep you updated on the progress.

Thanks,
eBay Security Research

I received no further emails from eBay.

Shifting Policy

After publishing my post today, I returned to the responsible disclosure page and found the following new set of guidelines:

  • Share the security issue with us before making it public on message boards, mailing lists, and other forums.
  • We request that you wait until notified that the vulnerability has been resolved before disclosing it to others. We take the security of our customers very seriously, however some vulnerabilities take longer than others to resolve. There are several teams involved in working on these vulnerabilities depending on which site has the vulnerability and what function is being exploited.
  • Provide full details of the security issue, including Proof-of-Concept URL and the details of the system where the tests were conducted.

The second guideline, which changes the disclosure timeline for a vulnerability from “at least 30 days” to “whenever eBay decides to patch an issue,” is the only difference. The guideline is designed to sound reasonable and responsible; it reminds us that eBay takes security seriously, it points out the complexities of coordinating patches between many teams, etc. But while some security vulnerabilities may take a long time to be patched, many are fairly straightforward and should not need to take more than a month from disclosure to patch.

In addition, it is the job of eBay’s security team to manage the expectations of outside security researchers. While researchers may have been entitled to release details of a vulnerability after 30 days under the old policy, in general many researchers are happy to hold off on public disclosure if the company is working actively to address the issue. Personally, I have reported plenty of vulnerabilities where I have had to wait months for a patch to be released. As long as the vendor provides some assurances that a patch is in the works, I am more than happy to withhold public disclosure.

Conclusion

The fact that the guideline was (silently) changed between when my email was sent and when my post was published speaks volumes about security at eBay. It tells me that someone at eBay saw my email and decided it was easier to change the responsible disclosure policy and send me “eBay goodies” than it was to follow up on my report. If that’s how eBay feels about responsible disclosure, I won’t be searching for any vulnerabilities on their sites in the future.

2013
03.14

Summary

In mid-2012 I discovered and reported a combination of CSRF and persistent XSS on my.ebay.com. This report was quickly acknowledged by eBay but the vulnerabilities have not been fixed almost a year after the initial disclosure. To mitigate the potential risk, I would recommend that users log out of their eBay accounts when browsing other websites.

Details

The my.ebay.com website has a section in the left sidebar called “Shortcuts.” These shortcuts, by default, are pre-defined links to sections of eBay. It is possible for a user to edit the list of shortcuts and to add their own, pointing to arbitrary URLs.

I reported two distinct but related vulnerabilities to eBay:

  1. It is possible to create a shortcut that will execute JavaScript when clicked on by writing a somewhat convoluted JavaScript URL: the example I used was javascript://%0D%0Aalert(document.domain);. A URL in this format allows me to evade eBay’s filters but still have JavaScript execute in the latest versions of Firefox, Chrome, and IE. A slightly more detailed explanation of how this URL works can be found at http://sla.ckers.org/forum/read.php?2,13209,page=1#msg-13248.
  2. The endpoints that eBay uses to add a shortcut and to remove existing shortcuts are vulnerable to a CSRF attack.

Taken together, these vulnerabilities allow me to create a shortcut on a logged-in eBay user’s account that, when clicked, executes JavaScript.

Because the vulnerabilities remain unpatched I will not be publishing the proof of concept code that I sent to eBay.

Disclosure Timeline

  • May 11th, 2012, 11:56 AM: Submitted details of vulnerability via “Security Researchers” form.
  • May 11th, 2012, 3:12 PM: Reply from eBay. Report acknowledged, details forwarded to engineering team.
  • May 23rd, 2012: Sent followup asking for any updates.
  • May 24th, 2012, 5:09 PM: Asked to provide more details (screenshot, more explicit steps to reproduce) to assist in reproducing the issue.
  • May 24th, 2012, 5:23 PM: Sent reply containing screenshot and more explicit steps to reproduce the issue.
  • June 9th, 2012: Sent followup asking for any updates.
  • June 11th, 2012: According to eBay’s responsible disclosure guidelines, this issue may be discussed publicly (“Allow us a reasonable amount of time (at least 30 days from when we receive your disclosure under this process to respond to the issue before disclosing it to others”).
  • June 12th, 2012: Reply received from eBay: “Not yet. We’ll let you know when this is resolved.”
  • February 8th, 2013: Sent followup asking for any updates. Advised eBay of plans to publish details of the vulnerability within a week.
  • February 11th, 2013, 4:19 PM: Received reply from eBay. Asked to adhere to their responsible disclosure guidelines and not to disclose the details of the issue until it has been fixed. Offered “to send [me] some eBay branded gifts and acknowledge [me] on [their] Security Researcher’s Acknowledgment page once this vulnerability is fixed”.
  • February 11th, 2013, 4:31 PM: Reply sent. Pointed out that responsible disclosure guidelines do not preclude me from talking about an issue that was reported 8+ months prior. Agreed to hold off discussing the issue until March 14th.
  • February 11th, 2013, 5:12 PM: Received acknowledgement of reply.
  • February 15th, 2013: Received “eBay branded gifts” in mail.
  • March 14th, 2013, 4:50 PM: Confirmed vulnerabilities remain unpatched. Published blog post. Contacted eBay to inform them about the post.
  • March 14th, 2013, 10:19 PM: Reply from eBay indicating vulnerability is patched. Confirmed that some vulnerable functionality (ability to define shortcuts with arbitrary URLs) has been removed.

Note: I have replaced a link in the Disclosure Timeline with a link to the Internet Archive’s version of the same page. eBay decided to silently change its responsible disclosure guidelines between February 11th and March 14th.

The original text of their “guidelines for responsible disclosure”:

  • Share the security issue with us before making it public on message boards, mailing lists, and other forums.
  • Allow us a reasonable amount of time (at least 30 days from when we receive your disclosure under this process to respond to the issue before disclosing it to others.
  • Provide full details of the security issue, including Proof-of-Concept URL and the details of the system where the tests were conducted.

The new text:

  • Share the security issue with us before making it public on message boards, mailing lists, and other forums.
  • We request that you wait until notified that the vulnerability has been resolved before disclosing it to others. We take the security of our customers very seriously, however some vulnerabilities take longer than others to resolve. There are several teams involved in working on these vulnerabilities depending on which site has the vulnerability and what function is being exploited.
  • Provide full details of the security issue, including Proof-of-Concept URL and the details of the system where the tests were conducted.

Because I disclosed this issue to eBay prior to the changes to the policy, I will be leaving this post public.

Note 2: I received the following email from eBay:

Hi Neal,

We thank you for your work and your dedication to keeping the eBay community secure. We prefer that security-related information is always kept confidential. The technical teams verified the fix is working in production. Please verify.

eBay Security Research

The functionality for creating a new shortcut to an arbitrary URL appears to have been entirely removed from the site. That means there is no way to introduce a persistent XSS payload to the site. The rest of the vulnerability (the CSRF which controls which shortcuts are displayed) still functions, but is no more than a minor annoyance.

The disclosure timeline has been updated to reflect these developments.