Security researchers have warned that eBay user accounts could still be at risk, just days after the firm was forced to admit a major data breach, after spotting new critical web vulnerabilities.
The first was discovered by Stockton-on-Tees based researcher Jordan Jones, who took to Twitter to reveal he had managed to upload shellcode to eBay, which could give him remote control of the targeted server.
The online giant said in a message shared by Jones on Twitter that it has since resolved the problem and promised to add his name to its “acknowledgement page”.
However, eBay’s problems don’t end there.
Jones also claimed to have found cross-site scripting flaws on eBay’s site which could allow an attacker to inject arbitrary code into an auction page, infecting anyone who visits that page.
Such an attack could enable cybercriminals to steal user cookies and with them break into their accounts.
Meanwhile, an Egyptian security researcher, “Yasser H. Ali”, told The Hacker News of another critical eBay vulnerability which could allow attackers to hijack millions of accounts in one go.
The site refused to release details of the flaw as eBay has yet to fix it, but claimed to have independently verified and tested that it works.
The latest revelations come as the online trading site struggles to rebuild trust with its customers after it announced a major data breach last week.
It has been heavily criticised for the slow response to the attack. Despite occurring several months ago, eBay said it only discovered something was wrong earlier this month.
It then waited around a fortnight before informing its users – and even now some are complaining that it has not shared enough information to allow them to make a proper risk assessment.
Various users have still not even received an email from the company urging them to change account passwords as a precaution.
F-Secure security advisor, Sean Sullivan, argued that the newly found security vulnerabilities show eBay should be running a “bug bounty” program like Google, Facebook and others.
He added that large internet companies like eBay are still operating with a false sense of security, and that engineers at the firm should be more careful about where they share information.
“As a company, eBay is no different than any other company – people are responsible for the security of the infrastructure, and people are its weakest link, not systems,” Sullivan told Infosecurity.
“A quick search of LinkedIn reveals 190 people who list themselves as Systems Administrators at eBay. The recent breach was almost certainly due to phishing and/or the compromise of an administrator’s work station.”
Ian Pratt, co-founder of security start-up, Bromium, described the new vulnerabilities as “nasty and fairly basic flaws” which should have been discovered by pen testing and in-house review.
“In the meantime, concerned users may prefer to avoid logging into their eBay accounts for a few days until the flaws are fixed,” he told Infosecurity. “It's always good practice to use secure https connections rather than http as this mitigates some of the flaws.”