eBay Mobile Reflected XSS Disclosure Writeup

Thought I’d write a post on my experience with eBay’s security submission team and also to keep an archive of my various bug submissions.

The vulnerability was reflected XSS due to improper sanitation of a user inputted parameter itemId in eBay mobile. Found it manually by just tampering inputs and watching the output.

The XSS

Yummy Cookies

Yummy Cookies

http://m.ebay.com/recfb?sid=adoramacamera&itemId=331087337021%22%20onclick%3D%22alert%28document.cookie%29

Yep, it was really that simple, oddly enough. I reported it initially and got an automated response stating to not contact them with the bug status for any reason and that they would get back to me eventually.

So I waited…and waited…and waited. A few months later I felt that I had waited more than enough – I understand they are most likely busy but I contacted them. Turns out they had lost the message! Oops! After resubmitting the bug to them they added me to the eBay hall of fame promptly and everything was smooth from there.

Overall I’d say eBay was a very nice and straightforward company to report to. Even though they don’t run a proper bug bounty program the hall of fame is always cool for researchers :)

For those looking to report vulnerabilities in eBay check out this link to submit: http://ebay.com/securitycenter/Researchers.html

The eBay hall of fame: http://ebay.com/securitycenter/ResearchersAcknowledgement.html

Until next time,

-mandatory

Matthew Bryant (mandatory)

Matthew Bryant (mandatory)
Security researcher who needs to sleep more. Opinions expressed are solely my own and do not express the views or opinions of my employer.