The Register reported today there is a serous flaw in eBay's web site implementation that allows third party functionality of style sheets. Cefn Hollie reported this to eBay last week. Ebay has removed the fraudulent listing from their site. However, "the only way to effectively protect users from such attacks is to white-list filter a set number of CSS functions deemed to be safe and to block everything else. That may be patently obvious to some, but if eBay has only now gotten around to implementing such measures, it's a good bet plenty of other websites are still wide open to this attack. Which means we wouldn't be surprised to see more attacks like these coming to a Web 2.0 site near you."
This is not just an Internet explorer issue, Firefox and other browsers are open to these type of attacks. Bill Sisk Microsoft's Security Response Manager said, "The nature of these attacks is not new and website operators commonly have protections in place to mitigate against such attacks."
Read more at: http://www.theregister.co.uk/2009/03/08/ebay_scam_wizardy/
Leave a comment