- Nokia's new N97 vs. the iPhone
- 10 Microsoft research projects
- Hard to get justice in MySpace case
- Smartphone smackdown: Storm vs. iPhone
- Apple removes antivirus support page
You never can defend yourself too much while online.
A PC World reader alerted me to a flaw on eBay's Web site that enabled a scam designed to trick people into handing over their personal information. eBay promptly patched the flaw last week, but experts I spoke with are wondering how long the fix will hold.
The flaw allowed a scammer to use an increasingly common type of attack called cross-site scripting , or XSS, to redirect people from an eBay listing to a spoofed eBay site. Though eBay may have plugged the hole for now, experts say, similar problems have surfaced in the past on eBay and other sites, and it's a safe bet they will again. The problem is not going away, and it will continue to cause visitors to eBay and other sites trouble for the foreseeable future.
How it worked
On a tip from a PC World reader, I reviewed the scam before eBay canceled the auction that it keyed to. Once potential victims were taken to the fake, or spoofed, eBay site, anyone interested in the item in the auction--a 1961 Volkswagen Microbus--was encouraged to e-mail the scammer directly at 4naffairs@yahoo.com to proceed with the sale.
According to security experts, such attacks are a very common and effective way of tricking Internet users into visiting fake sites.
"Any site that accepts user-generated content has likely had to patch their site for this flaw," says Bill Pennington, vice president of services at WhiteHat Security . Pennington says his company finds nearly 600 instances of cross-site scripting flaws on the Web every day.
Can the vulnerability be fixed?
For eBay's part, it says that it constantly monitors its site for security problems and corrects them as quickly as they are found. "As soon as we became aware of this scheme, we changed some of the code on our site. So this scheme, and ones like it, can no longer be effective," says Nichola Sharpe, an eBay spokesperson.
And eBay is far from alone when it comes to being a target of this type of attack. Similar attacks on major sites like Amazon.com, MySpace.com, Verisign, and even the United States National Security Agency's Web site have been documented.
Security experts say cross-site scripting is part of doing business on the Internet. "There is no one fix [for Web sites] to solve this problem," says Ken Dunham, security expert with VeriSign iDefense Security Intelligence Service . He says finding and patching cross-scripting flaws is like a game of Whack-A-Mole , with new flaws popping up all the time.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comments (3)
The way to avoid falling into the phishing holeBy Anonymous on April 11, 2007, 11:19 amThe way to avoid falling into the phishing hole is to stop clicking on links in email and on the web. The article fails to even mention that users have to be...
Reply | Read entire comment
Has this ever been different?By Peter on April 10, 2007, 8:08 amI doubt it. When it comes to protecting my money, I was always willing to compromise ease of use, was I not? Moreover, I don't understand the fuss: Swiss banks...
Reply | Read entire comment
Simple anti-phishing security that worksBy Anonymous on April 7, 2007, 12:29 pmBookmark the real sites, and only use the bookmarks. That's anti-phishing security that works!! Re: Online banking users value security before convenience.
Reply | Read entire comment
View all comments