WHID 2009-33: eBay Fraud Abuses Zero Day XSS

A zero day XSS vector enables hackers to include in an eBay offer an arbitrary code which is executed by both FireFox and IE. As a result they were able to spoof the content of the offer, so that the user saw different information than the details known to eBay.

A very detailed technical explanation of the vulnerability is included in a FireFox community discussions on whether the issue is a browser or a web site issue. As usual, the truth is somewhere in the middle. The FireFox team selected to correct the issue discovered in FireFox. Microsoft claimed that the issue exploited in IE, which is reported to be a CSS expression issue, is not feature and not a bug and the vulnerable web site should be fixed.

Incident Outcome: