Categories: Hacking

POC – Hacking any eBay Account

THN disclosed details of a critical flaw discovered by the Egyptian researcher ‘Yasser H. Ali’ four months ago, which could be used to hack any eBay account.

The Egyptian security researcher ‘Yasser H. Ali’ four months ago reported to the team of the The Hacker News portal a critical vulnerability in eBay system which could be used by threat actors to hit its users.

The researchers demonstrated to the colleagues at THN the existence of the flaw, but avoided to disclose the process to exploit it for obvious reasons. In May, eBay suffered a major data breach and in the same period security experts discovered three other critical flaws which impacted eBay users.

eBay admitted that the cyber attack has impacted nearly 145 million registered users worldwide due to the violation of company database, in response eBay immediately requested its customers to change their passwords.

Once fixed the flaw, as promised, THN has shared the details of the process explained by Yasser H. Ali and today disclosed it. The flaw discovered by Yasser found could allow hackers to Reset Password of any eBay user account without any user interaction. Ali explained that a potential attacker have to know only the login email ID or username of the victim to compromise its account.

Password reset procedure starts with the redirection of the used to a “password reset” page, where eBay page first generates a random code value as HTML form parameter “reqinput”, which is visible to the attacker as well using Browser’s inspect element tool.

Once the user provides his username and clicks the submit button, eBay generates a second random code, which is known only by the user, and sends the code along with a password reset link to the eBay user with the registered email address.

The user then clicks on the password reset link received via email and will be redirected to an eBay page which asks to the user to submit a new password and its confirmation in order to complete the password reset procedure for his eBay account.

Yasser discovered that instead of using the secret code, the new password HTTP request sends the same respective “reqinput” value that has been generated by eBay when the user clicked on reset password. But the attacker already knows this value an using it could compromise the victim’s account, as demonstrated in a video POC.

In the video is visible that Ali targets a THN temporary account with email address info@thehackernews.com, he started the “password reset” procedure taking note for the ‘reqinput’ value from the inspect element.

Once captured the ‘reqinput’ the researcher redirected a new HTTP request to the eBay server at the password reset form action crafted with the “reqinput” value, the new password, the confirm password and password strength parameters.

The vulnerability discovered could be exploited for automated attacks on a large scale, it is just necessary to know valid ebay IDs that could be retrieved obtained from database of accounts breached in May.

Pierluigi Paganini

(Security Affairs – eBay, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.