Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

New security problems keep eBay on edge

Jeremy Kirk | May 28, 2014
EBay's security team isn't going to get a break for a while.

The crowd-sourced approach is more efficient for companies, since they benefit from having many pairs of eyes on their operations. One study showed the rewards given out work out to be cheaper than hiring more full-time security staff.

Instead of payment, EBay recognizes researchers if they responsibly disclose flaws and do not publish public information before a flaw is patched. A long list of contributors is on its Responsible Disclosure Acknowledgement Page, and Ali is among them.

Joshua Rogers, a teenager who lives in Melbourne, said he started looking around eBay's website just prior to the data breach because he was bored. Rogers is notable for finding a SQL injection flaw late last year in the website of Public Transport Victoria, which runs that Australian state's transport system.

He said via email he's found several cross-site scripting vulnerabilities and an information leakage flaw in eBay. He also found a SQL injection vulnerability, which was fixed by eBay about four days ago.

Moore said that eBay allows "active content" on its pages, which uses JavaScript code and the multimedia program Flash from Adobe Systems. It allows sellers to make their content more attractive, he said.

But he wrote "we are aware that active content may be also used in abusive ways."

EBay's security system detects when malicious code is inserted on the website, and it bans the use of some kinds of active content, Moore wrote. Product listings that have malicious content are removed.

One problem involving Flash was reported to eBay last week by 19-year-old Jordan Lee Jones, who lives in Stockton-on-Tees, U.K. The flaw allowed him to upload shellcode to eBay's network, which would have allowed him to deface part of the website or download the backend database.

Moore said eBay is working on a fix.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.