eBay scammers work unpatched weaknesses in Firefox, IE

Other sites also vulnerable to CSS attack


Updated eBay scammers have been exploiting unpatched weaknesses in the Firefox and Internet Explorer browsers to deliver counterfeit pages that try to dupe people surfing the online auction house to bid on fraudulent listings.

The attacks managed to inject eBay pages with hostile code by exploiting issues long known to afflict Firefox and IE. While eBay has managed to block the exploit from working on its domains, other websites that accept user-generated content may still be vulnerable to the attacks, web security experts warn.

Firefox security volunteers say they are in the process of patching the vulnerability. For their part, Microsoft officials say the exploits aren't the result of a vulnerability in IE but rather of websites that fail to properly protect against such attacks.

The evil genius behind the eBay scheme managed to pull off what amounts to an XSS, or cross-site scripting, attack that injected forbidden javascript elements stored on third-party websites. That allowed the eBay pages to contain outside email links and other unauthorized code while still evading toolbars designed to detect fraudulent listings.

In addition to injecting a link that automatically prompts users to email the seller at an aol.com address, the scam used a random number generator to change the item number each time the page was loaded. Item numbers are supposed to be unique and are used to report fraudulent listings. Changing the number made it harder for eBay's fraud busters to remove bogus auctions.

Screenshot of fraudulent eBay listing

Picture perfect: an eBay listing with fraudulent elements injected into it

The attacks targeted Firefox by exploiting the way the browser implements what's known as XBL, or XML binding language. By invoking a rogue CSS, or cascade style sheet, hosted on a third-party site, the Mozilla browser was tricked into running forbidden code that injected fraudulent content into the listings. Over the past week, there has been considerable debate among Mozilla security volunteers about whether the condition amounted to a security vulnerability or an intended feature. They decided to make changes to the browser after witnessing the eBay scams that abused it.

"Patches are being constructed to get rid of an existing useful feature due to the patent inability of some websites to take elementary protective measures even after 5 years of the feature existing and after being repeatedly told to NOT link to external sheets by all browser vendors," one debate participant wrote El Reg in an email. "Note that the patch won't really help eBay much unless they really do start filtering the CSS they allow, since so much can be accomplished with just CSS."

A similar issue also related to off-site CSSes allowed the eBay attacks to work flawlessly on IE browsers, as the above screenshot makes clear. The exploit targeted IE functionality commonly referred to as expressions that has long been a known vector of XSS exploits. While IE 8 has been locked down to prevent such attacks, versions 6 and 7 of the Microsoft browser have not, and Bill Sisk, Microsoft's security response communications manager, said there are no plans to add such protections to the older browsers.

"Our investigation has shown that it is not a vulnerability in Internet Explorer," Sisk wrote in an email over the weekend. "In fact, the claim represents a method by which malicious attackers can exploit specific functionality in websites to bypass security measures. The nature of these attacks is not new and website operators commonly have protections in place to mitigate against such attacks."

Sisk's point is well-taken that eBay and other websites have an affirmative duty to filter code that allows these attacks to succeed. But his insistence that IE is blameless isn't entirely right, either. Microsoft has rightfully decided to protect IE 8 users by changing some of the browser's behavior concerning external CSS. Users of IE 7 deserve no less.

As was the case last week even large, sensitive sites such as eBay don't always protect against such attacks. Company spokeswoman Nichola Sharpe issued a statement that read in part: "This is not a new security threat, our online security experts are already aware of this and have identified it as a known bug in Firefox. eBay utilizes sophisticated security technologies to protect our customers against attacks such as this. We continually update our security to deal with emerging threats - and have done so with this threat."

Maybe, but eBay took more than 24 hours to remove one such fraudulent listing after it was reported, said Cefn Hoile, a browser security expert who first reported the Firefox issue.

"eBay has to take some responsibility for sure," Hoile wrote in an email. "They chose to serve this content which incorporated the third party stylesheet."

The only way to effectively protect users from such attacks is to white-list filter a set number of CSS functions deemed to be safe and to block everything else. That may be patently obvious to some, but if eBay has only now gotten around to implementing such measures, it's a good bet plenty of other websites are still wide open to this attack. Which means we wouldn't be surprised to see more attacks like these coming to a Web 2.0 site near you. ®

This article was updated to remove the words "bugs" and "vulnerabilities" to reflect Microsoft's contention that the attacks aren't the result of flaws in IE.

Broader topics

Narrower topics


Other stories you might like

  • US says Russian ran online marketplace of stolen logins
    Cyber-souk offered bundle deals of account access and credit card info, says Uncle Sam

    A Russian national was indicted in the US on Tuesday for allegedly running an online marketplace selling access to credit card, shopping, and web payment accounts belonging to tens of thousands of victims.

    Igor Dekhtyarchuk, 23, who is on the FBI's Cyber's Most Wanted list, is suspected to be the mastermind of an underground cyber-souk dubbed "Marketplace A" by the US Department of Justice. The site, launched in 2018 and known as a carding shop in the cyber-security industry, sold login details for people's internet banking and retail accounts so that fraudsters could, for instance, go on spending sprees on a stranger's dime.

    Marketplace A functioned like any other online store, and even had bundle deals, such as an offer to buy access to two online retail accounts and get some credit card information thrown in, for the same victim, it was claimed. The credentials were priced according to a victim's account balances; miscreants allegedly had to pay more for data associated with accounts with more money to steal from.

    Continue reading
  • DMCA-dot-com XSS vuln reported in 2020 still live today and firm has shrugged it off
    Researcher tells world after being stonewalled

    There is a live cross-site scripting (XSS) vulnerability in takedowns website DMCA-dot-com's user interface. It's existed for more than a year and the site's operators don't appear to be interested in fixing it.

    Infosec researcher Joel Ossi, founder of Dutch security firm Websec, announced his findings after spending more than a year trying and failing to get DMCA-dot-com to take the XSS seriously.

    "I registered at DMCA at first with an intention to protect my own website," he blogged, explaining that he found unescaped free-text entry boxes in the DMCA user interface allowed him to create an XSS.

    Continue reading
  • CafePress fined for covering up 2019 customer info leak
    Watchdog demands $500,000 after millions of people's info stolen and sold

    The FTC wants the former owner of CafePress to cough up $500,000 after the customizable merch bazaar not only tried to cover up a major computer security breach involving millions of netizens, it failed to safeguard customers' personal information.

    In a complaint [PDF] filed against CafePress former owner Residual Pumpkin Entity and PlanetArt, which bought the platform in 2020, the FTC alleges multiple instances of shoddy security practices at the online biz. In a settlement proposed by the US watchdog, Residual Pumpkin will pay up the half-million dollars.

    The complaint highlighted that in February 2019 criminals stole, and then sold on the dark web, a treasure trove of personal information they found relatively easily on CafePress systems. This data included: more than 20 million unencrypted email addresses and encrypted passwords; millions of unencrypted names, physical addresses, and security questions and answers; more than 180,000 unencrypted Social Security numbers; and the last four digits of for tens of thousands of credit cards.

    Continue reading
  • App, security teams need closer bond to fend off cyberattacks
    Enterprises should shift left to protect themselves, says Immersive Labs

    Enterprises need to create a more strategic alliance between their application security and cybersecurity teams if they are going to better protect themselves against cyberthreats.

    Organizations can no longer wait for attacks to happen and then respond, according to Sean Wright, principal application security SME at Immersive Labs, creators of an enterprise platform that measures the cyber capabilities of their workforce. Instead, they need to embrace the shift-left mantra that calls for more security-related tasks – with testing being a big one – being performed earlier in the software development process, essentially weeding out potential flaws and vulnerabilities before they're compromised by attackers.

    The end result should be to reduce the risk to the organization, Wright told The Register.

    Continue reading

Biting the hand that feeds IT © 1998–2022