eBay year-long patch stall a little XSSive, researcher says

Clarified Security researcher Jaanus Kääp has disclosed a year-old cross-site scripting (XSS) bug in eBay's messaging service that lets attackers target victims through messages.

The researcher says he reported the XSS three times over more than a year and says he is surprised to find the bug be describes as dangerous has as of the time of writing not been shuttered.

His XSS could allow attackers to steal sessions to impersonate users and send seemingly any malicious payload through messages.

The disclosure is a departure from Kääp's regular wait-till-patch procedure but is in-line with a prevailing standard to drio bugs when vendors go quiet.

eBay has been contacted for comment.

"I discovered the vulnerability where attacker can do XSS over eBay's internal messages and since the session cookies in ebay are not HTTPonly, it was a quite [dangerous] issue for targeted attacking," Kääp says in an advisory.

"When I reported this, I got the basic email back about how much they value the security and so on [and] they asked not to disclose the issue to public but then also added that they will not give me any information about when or how the issue will be fixed.

"I thought that this is kind of strange but to hell with that - as long as they fix it in normal time, I don't care."

After three months the regular penetration tester pinged eBay about what should have been a quick fix. He says he received boilerplate non-answers for each of the three inquiries leading up to the full disclosure.

The silent treatment appears to this author to be out of character; eBay operates a formal bug bounty program and has fixed scores of vulnerabilities reported by external security researchers.

The disclosure follows recent news ofa serious hole CheckPoint bods disclosed in eBay's Magneto commerce platform, which affects tens of thousands of online shops. ®