Remortgages

US-CERT Alert: Active Exploitation of Cross-site Scripting Vulnerability in eBay.com

April 3, 2006 -- US-CERT is aware of an active exploitation of a cross-site scripting vulnerability in the eBay website. Successful exploitation may either allow an attacker to obtain sensitive data from stored cookies or redirect auction viewers to phishing sites where further disclosure of login credentials or personal information can occur.
More information about the reported vulnerability can be found in the following:

* CERT Advisory: CA-2000-02 - Malicious HTML Tags Embedded in Client Web Requests
* US-CERT Vulnerability Note: VU#808921 - eBay contains a cross-site scripting vulnerability

Until a practical solution or more information becomes available, US-CERT recommends the following:

* Disable Scripting as specified in the Securing Your Web Browser document and the Malicious Web Scripts FAQ.
* Validate web site addresses as described in the eBay Spoof Email Tutorial and US-CERT Cyber Security Tip ST04-014.
* Validate web site certificates as described in US-CERT Cyber Security Tip ST05-010.

We will continue to update current activity as more information becomes available.

Source: US-CERT

[ Comment, Edit or Article Submission ]