eBay Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Poor old eBay - now the BBC says it suffered a XSS attack recently

otherego
Contributor

‎17-09-2014 7:01 PM - edited ‎17-09-2014 7:04 PM

More gloom and doom here:

 

http://www.bbc.co.uk/news/technology-29241563

 

What's a little scary is that it would be so easy to be taken in - I've certainly had the experience of eBay demanding a fresh log-in when I've tried to do something, and it would be all too easy to simply sigh and enter one's details on an authentic looking but thoroughly malicious page.

 

In a sense, villains are actually being assisted by the site's enthusiasm - probably well-intentioned - for signing us out following a period of inactivity. You've only to look at the occasional moans from folk who've been poised ready to snipe, only to be asked to sign in again on trying to bid in the final seconds of an auction.

 

What should be an extra layer of security - the request to log in afresh following inactivity - might actually have conditioned users to uncritically enter their credentials on what appears to be a genuine log-in page, even though it is in fact a malicious imitation. QA sense of urgency during an auction would work on the attacker's behalf.

 

NoScript told me the other day that it had warded off a cross site scripting attempt. I was distracted by something and forgot to try to replicate it - I really wouldn't know what I was looking for anyway, to be honest.

 

NoScript seems a very valuable element of protection against XSS vulnerabilities, but I assume that it is not invulnerable. Assuming there will be some concern shown as people spot the BBC article, it would be useful to know just what to suggest to folk to reduce the risk of XSS attacks.

 

Abandon any transaction which redirects you to a fresh log-in? Examine the URL of the fresh log-in page? Would that help, or are the URLs easily "spoofed"? And so on and forth.

 

Heck, I'd really like to know, myself. For the moment, I'll certainly stick with NoScript and allow only the very minimum javascript necessary for the site to work at all - but there must be other means of self defence.

 

Suggestions, please!

 

Message 1 of 6
See Most Recent
5 REPLIES 5

Poor old eBay - now the BBC says it suffered a XSS attack recently

applefrommars
Ace

‎17-09-2014 7:43 PM

Ebay moved this thread from Seller Central:

 

http://community.ebay.co.uk/t5/Computing-Advice-Technology-Chat/Ebay-Auction-or-Phishing-Scam/m-p/36...

 

It seems to refer to the same issue as the BBC article, but if so, the incidence of redirects may be more than isolated cases.  The timing of these X-box listings was particularly malevolent, coming on a day when the outages and associated glitches caused repeated requests to log in.

 

I had thought that clicking through from the listing to the log-in page was harmless as along as you didn't actually attempt to log in - but the BBC article seems to be saying that just clicking on the listing can be harmful.  Is this true?  I didn't get any warning from Windows Defender when clicking on the listing.

------------------------------------------------------------------------------------------------------
Beware of the Asterisk Police



Message 2 of 6
See Most Recent
0 Helpful

Poor old eBay - now the BBC says it suffered a XSS attack recently

otherego
Contributor
In response to applefrommars

‎17-09-2014 11:07 PM - edited ‎17-09-2014 11:10 PM

A spot of reading around has suggested that:

 

a)  I really don't understand this;  

 

b)  it's surprisingly difficult for websites to totally prevent XSS attacks;

 

c)  most attacks involve a degree of social engineering - luring users into taking dangerous action, such as signing in to a fake

     welcome page, thus surrendering their details to the attacker;

 

d) some attacks can harvest data stored on the user's own computer eg session/login cookies, which would make it easy for the

     attacker to impersonate the victim and take over the account concerned. Fortunately, these are fairly easy for sites to mitigate eg

     by not  allowing cookies to be retrieved if the attempt to retrieve them seems to originate from a different IP address to that in use

      when they were set;

 

e) as ever, we can reduce our vulnerability by using fully patched software, being ultra-vigilant (not always easy) and taking    

     advantage of such security features as may be available eg the NoScript add-on, certain browser settings.

 

It might be unfair to blame eBay for cross site scripting attacks occurring from time to time, although I believe that given eBay's resources, such attacks should remain very rare.

 

What is more worrying is their slowness in responding to these problems - I noticed the comments on Seller Central earlier, and the thread which was shifted here from SC a day or two ago. And yes, I think shifting that thread to the relatively lightly-read tech board was a little naughty - it might have been well-intentioned moderation, of course, shifting a technical sort-of matter to the tech board - sadly, there is just the tiniest whiff of "cover up" to it.

 

If anyone can come up with simple anti-XSS measures for us ordinary computer users, as opposed to site designers and maintainers, then that information would be greatly appreciated.

Message 3 of 6
See Most Recent
0 Helpful

Poor old eBay - now the BBC says it suffered a XSS attack recently

andy_hewitt
Contributor
In response to otherego

‎03-11-2018 5:29 PM

A simple anti XSS measure, is to use the NoScript plug in, in Firefox.

 

Unfortunately, that means being pestered incessantly by messages saying it blocked an XSS attempt on ebay, unless you disable them in the options.

 

Presumably, ebay actually uses XSS deliberately.  It doesn't seem to break anything important if you block it, but it does strike me as utterly stupid - routinely behaving like a malicious attacker, to do something non-essential.

Message 4 of 6
See Most Recent
0 Helpful

Poor old eBay - now the BBC says it suffered a XSS attack recently

*scyllabub*
Conversationalist
In response to andy_hewitt

‎29-11-2018 3:15 AM

However did you manage to rake this up from over 4 years ago, Andy Cat Surprised Cat LOL  Wuz you googlin' something related?

Message 5 of 6
See Most Recent
0 Helpful

Poor old eBay - now the BBC says it suffered a XSS attack recently

andy_hewitt
Contributor
In response to *scyllabub*

‎29-11-2018 6:17 AM

Well, yes; I was googling why Noscript was showing XSS warnings more or less every time I looked at eBay.

 

In the end, I just settled for turning off the warnings.  It's a **bleep**e state of affairs.

Message 6 of 6
See Most Recent
0 Helpful

Featured Posts

View All
Top