eBay is in the headlines once again this week as the online auction site has reportedly been compromised by a cross-site scripting (XSS) attack, in which users were redirected to a spoof site designed to steal their credentials. This latest attack follows an announcement from the company back in May urging its users to change their passwords after one of its databases containing encrypted passwords and other customer data had been compromised via a “small number of employee log-in credentials, allowing unauthorised access to eBay’s corporate network”.
Cross-site scripting has been a known attack vector for many years and is currently ranked as number three in the OWASP Top Ten, which is an authoritative source of the most common web application vulnerabilities. The impact of this type of attack can be wide and varied; it is possible to leverage a cross-site scripting flaw to deliver malware to an unsuspecting victim or, as appears to be the case here, to redirect users to malicious sites designed to capture their credentials.
eBay appears to have been vulnerable to a variant of cross-site scripting that allowed malicious code to be delivered to its users without any interaction between the attacker and the victim required, which is arguably the most severe form of this vulnerability.
The preventions against this type of attack are well understood and one would expect all organisations – particularly those with vast quantities of customer data to protect – to have the required defences in place.
These days, it’s more a case of when rather than if a breach will occur and organisations must focus on ensuring full network visibility and that incident response teams are able to detect, contain and remediate an attack when situations inevitably arise. After all, attackers are adept at exploiting any gap that may exist in security defences, and it only takes one successful attempt for a disastrous data breach to occur.