PC World — You never can defend yourself too much while online.
A flaw on eBay's website enabled a scam designed to trick people into handing over their personal information. eBay promptly patched the flaw, but experts I spoke with are wondering how long the fix will hold.
The flaw allowed a scammer to use an increasingly common type of attack called cross-site scripting, or XSS, to redirect people from an eBay listing to a spoofed eBay site. Though eBay may have plugged the hole for now, experts say, similar problems have surfaced in the past on eBay and other sites, and it's a safe bet they will again. The problem is not going away, and it will continue to cause visitors to eBay and other sites trouble for the foreseeable future.
How it worked
On a tip from a PC World reader, I reviewed the scam before eBay canceled the auction that it keyed to. Once potential victims were taken to the fake, or spoofed, eBay site, anyone interested in the item in the auctiona 1961 Volkswagen Microbuswas encouraged to e-mail the scammer directly at firstname.lastname@example.org to proceed with the sale.
According to security experts, such attacks are a very common and effective way of tricking Internet users into visiting fake sites."Any site that accepts user-generated content has likely had to patch their site for this flaw," says Bill Pennington, vice president of services at WhiteHat Security. Pennington says his company finds nearly 600 instances of cross-site scripting flaws on the Web every day.
Can the vulnerability be fixed?
For eBay's part, it says that it constantly monitors its site for security problems and corrects them as quickly as they are found. "As soon as we became aware of this scheme, we changed some of the code on our site. So this scheme, and ones like it, can no longer be effective," says Nichola Sharpe, an eBay spokesperson.
And eBay is far from alone when it comes to being a target of this type of attack. Similar attacks on major sites like Amazon.com, MySpace.com, Verisign, and even the U.S. National Security Agency's website have been documented.
Security experts say cross-site scripting is part of doing business on the Internet. "There is no one fix [for websites] to solve this problem," says Ken Dunham, security expert with VeriSign iDefense Security Intelligence Service. He says finding and patching cross-scripting flaws is like a game of Whack-A-Mole, with new flaws popping up all the time.