Published on May 24th, 2014 📆 | 4079 Views ⚑


eBAY Multiple Flaws leave Millions of Users vulnerable to Hackers


Security researcher, Jordan Jones claims and tweeted from his account that he already reported the critical flaw to eBay, along with a proof-of-concept screenshot which shows that he has successfully uploaded a 'shell.php' file (as shown), a PHP script that allows the attacker to control the server - essentially a backdoor program.
Worst Day for eBAY, Multiple Critical Flaws leave Millions of its Users vulnerable to Hackers
At the time of writing, we confirmed that the file ‘shell.php’ is available on the Ebay server at given location: "", but modified to a blank file.
In a blog post, Jordan has also reported about a cross site scripting vulnerability in the eBay Research Labs page (


Michael E., another security researcher from Germany reported The Hacker News that he found a Persistent Cross-Site Scripting (XSS) vulnerability on eBay’s auction pages that allowed him to inject arbitrary HTML and Javascript code into the eBay website.
[adsense size='1']
Each time a user visits any infected auction page created by the attacker, the reported persistent XSS vulnerability will execute the unauthorized Javascript code on the users’ browser with a payload to steal their account cookies, in an effort to hijack the user’s account.
Worst Day for eBAY, Multiple Critical Flaws leave Millions of its Users vulnerable to Hackers
Anyone with an appropriate technical knowledge can create an auction page with malicious javascript, as shown in a proof-of-concept link created by the Michael.

In a separate experiment, we have discovered that eBay accepts the same login cookies again and again, even if the victims have logged out or reset their passwords.
Which means by using Michael’s persistent XSS vulnerability, one can steal eBay users’ account cookies in order to get an unauthorized access to the users’ respective accounts, without knowing their previous or updated passwords.
An Egyptian security researcher ‘Yasser H. Ali’ informed The Hacker News about another critical vulnerability on the eBay website, that can seriously allow an attacker to hijack millions of user accounts in bulk and this exploit could be very successful in the targeted attacks.
For now we are keeping technical details of this vulnerability hidden from our readers, Sorry; because it has not been yet addressed by the eBay security team. But last evening, as a proof of concept Mr.Yasser privately demonstrated the vulnerability step-by-step to ‘The Hacker News’ team and we confirm - IT WORKS. We promise to share the technical details of this interesting flaw, once eBay team will patch it.


eBay failed badly to protect its 145 million customers’ sensitive data from the previous data breach and yet has not learned any lesson. There are few points, we would like to highlight about eBay’s passive behaviour towards users’ security.
Two months ago hackers stole a database full of eBay users’ information, including customer names, account passwords, email addresses, physical addresses, phone numbers and birth dates, that can be passed on to other criminals. Such sensitive information could be used by a potential hacker to gather more details about the users by sending spam messages and phishing mails, that could lead to problems with identity fraud.
[adsense size='1']
When companies are hacked, alerting customers is usually the first thing. But according to the media reports, even after 30 hours - eBay hasn't emailed all of its users to notify them that they must change their passwords. Also the company has also not made clear how many people were affected in the latest data breach.
According to a separate news on Daily mail, eBay could be fined £500,000 for breach of its data 18 million Britain users. The penalty can be imposed by the Information Commissioner's Office, ‘would amount to just 2p for each of the and 0.00002 per cent of the company's global annual turnover.’ BAD LUCK!


All the above listed vulnerabilities have been reported to the eBay Security team by each researcher, and we hope someone from eBay security team will definitely read this article to understand the threats they could face from malicious hackers.eBay should be more concern about the security of its users and protective towards its users’ privacy, as the company is responsible for the hundreds of millions of users if it fails at any point.

Tagged with:

Comments are closed.