eBay has patched a cross-site scripting (XSS) vulnerability after the company declined to respond to private disclosure for a month, according to a security researcher going by the name “MLT.” The vulnerability potentially exposed millions of users to spear phishing attacks and allowed cybercriminals to steal credentials and funds and scam other users.
A blog post published Monday by “MLT” describes the vulnerability as a fairly basic one involving the main domain. It also explains how a hacker could inject a malicious page into eBay using a Java implementation. The researcher mirrored eBay’s login page, which gave users an error when they attempted to log in, but also revealed the username and password entered by the user.
“MLT” says that he “waited a month with no response from eBay,” and that the company “only rushed to patch the vulnerability after the media contacted them about it,” but eBay disputes the accuracy of this account.
“We did indeed receive the researcher’s submission on the 11th of December, and did respond to the initial email address that he submitted the report to on the 12th,” an eBay spokesperson told ZDNet. “However, he followed up with a different email alias, which resulted in a bit of miscommunication. We have since been in contact with the researcher and have fixed them.”
Typically security researchers give companies a time window to respond to these types of notifications or patch a vulnerability before making it public, which opens it up to exploitation. However, without knowing what was revealed in the initial submission, it is impossible to know whether the apparently unsuccessful email response from eBay was a sufficient reaction. It is difficult to imagine that it would have been ignored if it had been signed Brian Krebs or similar. “MLT” plans to update his post with his correspondence with eBay.