27 May 2014

New Cross-Site Scripting Vulnerability Found on eBay; Weaker Passwords Allowed

A cross-site scripting XSS vulnerability has been found on eBay's labs page as users are allowed to set weaker passwords after last week’s breach, according to The Register.

The reset password process violates its policy, displaying strong generated passwords with special tools as weak and common passwords as strong.

"Researchers also reported and posted details on vulnerabilities within eBay web assets," the article said. "Jordan Lee Jones (@CEHSecurity) reported an exploit developed in the MetaSploit security tool which allowed him to upload a shell via an eBay flash upload page."

The shell seems to have been removed and a patch was issued for the vulnerability.

Also, the XSS vulnerability looks to enable the search for a password file within the eBay labs server. If retrieved, that file could contain administrator passwords, which are the most valuable ones.

The XSS vulnerability and the malfunction of eBay's password system follow last week's massive breach on eBay.