CIO Today reports eBay was hacked…again. Over the summer, nearly 145 million passwords were exposed, but this time hackers used a different approach to harvest data.
Because eBay allows JavaScript and Flash, hackers are able to use a cross-site scripting technique to send shoppers to a fake website that asks for their login and password again. After stealing logins, hackers can access accounts, post fake items for sale, and steal more data.
These custom phishing attacks have plagued e-commerce sites in the past, and they're part of the reason many hosts and other e-commerce venues won't allow JavaScript and Flash. Apple famously decided not to allow Flash on any of its mobile devices.
What makes JavaScript and Flash so dangerous? Flash has a long history of vulnerabilities, while JavaScript can often be used to conceal code injection attacks.
To better understand this threat, let's take a closer look at how hackers are using Flash and JavaScript to launch phishing attacks.
Limiting the Attack Surface: Why Smaller is Better
InfoSec researchers often talk about "attack surface," which can be defined as the number of ways into a program. Each program has certain code that transmits and accepts data from outside. By allowing users to run JavaScript and Flash, eBay increases these vectors and provides more places for hackers to attack.
Security is always a tradeoff. No product will have zero attack surface because some code and connectivity always takes place. IT consultants need to make decisions about what is and isn't allowed, weighing the benefits and functionality against the additional dangers that come with an increased attack surface.
Let's review the ways JavaScript and Flash increase the attack surface for web hosts, e-commerce companies, and other tech businesses:
- Cross-site scripting (XSS). These attacks allow hackers to take authorization cookies and steal private data that users transmit via browser.
- Malvertising. Cyber criminals can embed malware in ads that use Flash. Threatpost warns that there's been a recent string of these attacks. After visiting a website with malvertising, users can be locked out of computers with a "cryptowall" that is only released when they pay a BitCoin ransom to the hackers.
- Phishing. By using JavaScript's redirect function, hackers can send users to third-party websites that trick them into divulging their passwords, logins, credit card information, or other private data.
Is eBay Liable for Phishing Scams?
Security professionals have been critical of eBay in the past, arguing its platform was insecure (in part because it was susceptible to code injection attacks) and it was slow to strip out bad code and repair these vulnerabilities.
A lawsuit against eBay could easily argue that the company has been "negligent," which is a legal term that means eBay should have done more. A tech firm can be found negligent and have to pay damages to its users if it…
- Falls short of its professional obligations.
- Doesn’t offer a secure web environment.
- Fails to respond quickly to vulnerabilities.
How do you protect your IT company from negligence claims? You should always respond quickly to possible security weaknesses, proactively prevent attacks, and limit attack surface. Additionally, you can cover your business with Errors and Omissions Insurance.
E&O for IT professionals offers financial security. It pays for negligence lawsuits and other professional liability claims, shielding you from expensive lawsuits. A typical Errors and Omissions Insurance policy offers over $1 million in lawsuit coverage.
To learn more about IT insurance, see our sample insurance quotes for IT contractors.
