eBay Hackers Exploit IE, Firefox Vulnerabilities
eBay buyers are being asked to take extra precautions when conducting their online shopping after security specialists warned that a string of hackers had infiltrated the popular auction site. The hackers exploited several unpatched vulnerabilities in Firefox and Internet Explorer browsers to create false listings and entice people to bid on fraudulent items.
Details of the Stealth Attack
Analysts believe that it was an XSS (cross-site scripting) attack that implemented unauthorized java script elements stored on third-party websites. This allowed eBay pages to contain outside email links and other unauthorized codes, while still evading toolbars designed to detect these fraudulent items. (Source: theregister.co.uk)
The hackers implemented other elements to make their listings appear real, including an "email the seller" link which activated an aol.com address, and a random number generator which changed the item number each time the page was loaded, making the page appear as if it were "live."
The attacks targeted Firefox by exploiting the way the browser implements XBL (XML binding language). After the hacker had created an infected CSS (cascade-style sheet) on a third-party site, Firefox was tricked into allowing forbidden codes that led to fraudulent content in the listings.
All of this, of course, went on unnoticed by the security teams at Mozilla, Microsoft, and eBay.
Mozilla, MS, eBay all play The Blame Game
While the attack was done externally by hackers, all three of the major players involved in the security breach have pointed their fingers at each other.
eBay downplayed the severity of the attack, claiming that "online security experts are already aware of the breach and have identified it as a known bug in Firefox. eBay utilizes sophisticated security technologies to protect our customers against attacks such as this." (Source: techchuck.com)
While claiming to have taken down all known hoax listings on their domain, eBay warns that listings found on other websites that accept user-generated content may still be vulnerable.
Microsoft also weighed in on the situation, claiming that the security breach was not the result of unpatched vulnerabilities in Internet Explorer, but rather because of external websites that fail to properly protect themselves and others against such attacks.
Mozilla claimed to be in the process of patching all known Firefox vulnerabilities as well.
In any event, all three parties urge consumers to be extra cautious when purchasing items over the Internet.