Via eWeek.com -
eBay is working to patch a cross-site request forgery vulnerability recently uncovered by a security researcher. The Avnet researcher also discovered cross-site scripting and blind SQL injection bugs in eBay's online auction site, which eBay has fixed.
eBay is working on a fix for a cross-site request forgery problem that could allow an attacker to change a user's password and get access to that user's account.
The vulnerability is one of several affecting eBay that were recently uncovered and shared with eWEEK by Nir Goldshlager, a researcher with Avnet Information Security Consulting. Among the vulnerabilities are cross-site scripting bugs in the eBay Live Help support page and eBay To Go, which the company fixed by validating user input. In addition, Goldshlager uncovered a blind SQL injection problem in the eBay donations Website.
All of the vulnerabilities have been patched except the CSRF (cross-site request forgery) flaw. According to Chad Greene, eBay's senior manager of global information security, the company has pushed code to the core site to measure the impact of potential fixes for the CSRF problem on the user and will make a decision about how to address the situation in the next three weeks.
"The nature of CSRF means that there isn't a single fix that can be applied in all cases and rolling out the wrong fix could break legitimate user functionality," Greene told eWEEK in an e-mail.
[...]
In an interview, Greene said users can report any security issues they find to eBay's security center, and the site works with members of the research community to uncover any vulnerabilities.
"We work with many members of the security community as well as the security industry … we like to do community outreach and educate the user base," Greene said.
No comments:
Post a Comment