Wednesday, September 17, 2014

eBay redirect attack puts buyers' credentials at risk

http://www.bbc.com/news/technology-29241563

EBay has been compromised so that people who clicked on some of its links were automatically diverted to a site designed to steal their credentials. The spoof site had been set up to look like the online marketplace's welcome page. The US firm was alerted to the hack on Wednesday night but removed the listings only after a follow-up call from the BBC more than 12 hours later.
One security expert said he was surprised by the length of time taken. "EBay is a large company and it should have a 24/7 response team to deal with this - and this case is unambiguously bad," said Dr Steven Murdoch from University College London's Information Security Research Group. The security researcher was able to analyse the listing involved before eBay removed it. He said that the technique used was known as a cross-site scripting (XSS) attack.
It involved the attackers placing malicious Javascript code within product listing pages. This code in turn automatically redirected affected users through a series of other websites, so that they ended up at the page asking for their eBay log-in and password. Users only had to click the original listing to have their browser hijacked.
INC News, 17/09/2014-via BBC

No comments: