Skip to main content

Has a second eBay zero day security flaw been discovered?

eBay XSS vulnerability
Another eBay flaw uncovered

After last's week massive security alert, eBay may well have been hit by a second flaw, one which was discovered by a 19-year old British student.

Jordan Lee Jones, who hails from Stockton-on-Tees, told PCWorld that he reported the vulnerability to eBay on Friday and decided to make it public on Monday.

The vulnerability Jones found is a cross-site scripting (XSS) flaw where code can be executed remotely from one site can be injected into another.

Jones uploaded a screen capture (above) showing that he was able to create a pop up box on eBay's labs webpage using this technique.

Password changing time?

Hackers would also be able to collect cookies - small disposable files that contain personal data - from eBay users; these can subsequently be used to access websites or as means of authentication.

The discovery of the flaw came 24 hours after eBay's defenses were breached and an estimated 145 million user accounts were compromised.

A sample of the database was posted online - and apparently available on sale - but eBay stated that they were not genuine.

Jones' eBay cross-site scripting code can be found on his website. Unlike the one discovered on Thursday, this vulnerablity is not scalable and changing your login details would make no difference.