eBay https security is vulnerable to attack from http

This problem is fixable by forcing session cookies to secure only and upgrading to https with hsts to reduce the risk of this problem returning.

I tested this against http://ebay.com instead of http://mark.ebay.com (made using an /etc/host entry to localhost and a SimpleHTTPServer) and a request to that works too. However, I’m on a shared network  (at Fosdem) and pretty sure they don’t want me to run Wireshark on their wifi, so can only demonstrate it using copy as curl from Chrome to show the cookies sent plaintext.


2 comments

  1. Pingback: Privacy concerns over gaps in eBay crypto – sec.uno

  2. Pingback: Privacy concerns over gaps in eBay crypto (The Register) – sec.uno


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s