2014
06.03

How I could change your eBay password

Today I am going to share an interesting finding that allowed me to change the password of almost “150 million” eBay users!

I was checking my e-mail when I have found a “View your recent activity” message from PayPal,  I have checked the links inside the message and found an “Open Redirection” vulnerability!

I have decided to report it to Paypal, I asked a friend of mine about the Paypal security e-mail, he told me that I should register on eBay to report Vulnerabilities to Paypal :).

Well, I went to eBay to register and have found two other vulnerabilities while registering!, I have reported the three bugs and waited.

Two days later, I tried to log in my eBay account to check the status of my 3 reports, and like every time, I have forgotten my password 🙁 .

I went to ” Forget Password” page at eBay  to see how secure their password reset mechanism is.

So here is how users can change their own passwords on eBay:

1- The user navigate ” Forget password page ” and enter his registered Email or Username.

2- eBay gives you the three options which you can change your password with (Using Email, Text message or phone call).

3- If you use Email method, they will send you an email includes a reset password link where you can change your own password.

So lets fire up BurpSuite to see what happens behind the scene..

Visting (https://fyp.ebay.com/EnterUserInfo?&clientapptype=19) and entering my e-mail address will take me to another page that asks me where I want to get my “Reset Password Link” , I have chosen ” By E-mail” and intercepted the request

Hijacking eBay users
 

After Forwarding that request, I received an Email with a change password link, I clicked on the link, it takes me to another page where I have to create my new password, I have entered my new password, hit enter and intercepted the request which looked like:
 

Hijacking eBay users

Hijacking eBay users

Have you noticed that??!!

Wow, instead of using the Secretreqinput value” that have been sent to the user’s email,  eBay uses the same “reqinput” value that have been generated in the first request!!!

Exploitation Time:

I went again to the ” Forget Password page” then entered the victim email, then chose to send the “Reset Password link” to e-mail and captured the request and save the “reqinput value” .

then I repeated the POST request “shown in the last screen shot” and replaced the reqinput value with the new one, I posted it, but it gave me error!!

Why? because the user have to “click” on the link sent to the email to the server can unlock the change password process ” and this is the only user interaction that has to be taken in order to make the attack succeed”

after the user clicked on the “reset password” link, I was able to change his password 🙂

 

This means that an attacker can hijack millions of user accounts in a targeted attack

Here is  a real life attack scenario diagram:

 

eBay hacked

eBay hacked

 

 

Enjoy watching the POC video

 

8 comments so far

Add Your Comment
  1. Id love to be able to get into one gmail acct !! 🙂

  2. nice bro..

  3. Hi Yasser,

    Many thanks for your efforts to explain your discoveries, its a great help for the whole security community.

    But, I think that in the figure the phrase

    “Attacker intercepts the request, save the reqinput …”

    is somewhat misleading, as the attacker do not need to catch the e-mail, as the figure might suggests, but he learns the reqinfo token earlier by browsing the page where he enters the victim’s e-mail address.

    More precisely, the reqinput token is sent by the server in a hidden input field of the
    /EnterUserInfo page.

    I am sure you are aware of this, I just made this comment for the less experienced
    readers like me.

    Congrats for your success on Paypal, regards

    Zoltan

    • Yes, We could do it that way too 🙂

      • Yasser, I am having difficulties doing this.

        Can we please speak? I desperately need help with this!

        • Yes, because it has been patched 😉

  4. Yasser, Does this hack still work?

    Please let me know Thanks!

    • Nope, This has been patched be eBay.