Hey everyone. Today I would like to disclose an XSS vulnerability present on members.ebay.com which the security engineering team at eBay.com do not classify as a security issue.
If you wish to test the PoC, you must have an eBay account.
This is the logic behind the vulnerability:
(1) eBay allows for users to create their own “member” pages which can contain HTML
(4) An obfuscated version of “<script>alert(document.cookie)</script> looks like this:
The GIF below demonstrates the successful submission of the JS code above:
Now, whilst eBay session cookies are HttpOnly, there are still quite a few nasty things which can be done via such an XSS. It may even be possible to spurt a JS worm and cause mayhem. I haven’t really experimented further – but eBay does not consider this a security issue – but rather to them, it’s a “function” which they allow for users to use. Below is my conversation with the eBay site security team (please click it so that you can zoom in and read the text):
For those unable to view the image, here was their final response to the vulnerability:
Thank you again for your report.
We are closing this ticket since this is one of the functions where we allow users submit active content to customize their ‘about me’ pages as long as there isn’t any violation against the (http://pages.ebay.com/help/
Our discovery team continually monitors user accounts and if there is any violation against the eBay policy, the user account will be suspended.
We welcome further submissions, and if they are true vulnerabilities to our eBay community we will gladly add your name to the site once the vulnerability is resolved.
We are closing this case without further action.
eBay Security Research
Here are their guidelines:
eBay tries to block such JS submissions through a filter – and that filter can by bypassed through JS obfuscation, allowing for almost everything above to be possible. This is why this is considered a security vulnerability in my perspective at least.
Additionally, they state that they remove accounts which violate the terms and conditions. I’m somewhat skeptical of that due to the large nature of eBay as well as the fact that they haven’t quite removed my account which has been sitting there with evil JS for around 2 months.
Nonetheless, it was fun finding this bug. Not that complex, but can prove to be scary. I hope eBay fixes it or applies a stricter criteria perhaps.
Thanks for reading, and thanks to the efforts of the eBay security team, regardless of this vulnerability – as I am sure they have dealt with many more serious vulnerabilities than this one.
be sure to disable scripts when visiting members.ebay.com