back to article Ebay snuffs malware upload bug

Hacker Aditya Sood has disclosed two vulnerabilities in eBay that allow hackers to upload files for drive-by-download attacks. The security bod (@AdityaKSood) told ThreatPost the flaws allow attackers to upload malicious content that appear to be benign. Once uploaded to eBay, malware can be sent to victims using direct links …

  1. A Non e-mouse Silver badge

    Never trust user supplied data

    I hope EBay are checking more than just the HTTP headers sent with the upload request. The only way to be sure you've got an image is to check the file contents.

  2. sabroni Silver badge

    If it's an image

    then why does it get executed?

  3. Mr_Pitiful

    I've noticed this

    A few years ago if you were stupid enough to be looking for expensive boats or houses you could get hit, but the other day I was looking for a cheap air conditioning unit and the image files were trying to load executables.

  4. Anonymous Coward
    Anonymous Coward

    Exe upload

    "“The attacker can upload malicious exe file camouflaged as image files and then use the URL in drive by download attacks."

    But only 1 particularly moronic operating system will try and run it.

    1. mythicalduck
      WTF?

      Re: Exe upload

      Which OS are you referring to?

      I don't have Linux or OSX to hand, but in Windows, when I rename an EXE file as .JPG and double click it, it tries to open it in my paint package (which fails with an invalid format)

      I then proceeded to put the filepath in Firefox and IE, and both tried to render as an image (and failed), okay, so it's not on a webserver, but surely that would be riskier because there's no metadata saying "This is an image by the way"

      So TBH, I'm not really sure how this is supposed to work

      1. A Non e-mouse Silver badge

        @mythicalduck - Re: Exe upload

        You're playing with files on the filesystem. When files come in over a HTTP connection, different rules apply. There is (usually) a HTTP header telling the client what the content type is supposed to be. But this is just a hint, and the client can inspect the file contents to decide what to do itself.

        1. Chris Evans

          Re: @mythicalduck - Exe upload

          "You're playing with files on the filesystem. When files come in over a HTTP connection, different rules apply." You mean like no security?

          Any program or OS that takes a file and runs it like an exe because of its contents but isn't file typed as exe is asking for trouble.

          Who thought that a good idea?

  5. Old Handle

    Hmm

    I wonder if the fix still leave open the possibility of using a file that is simultaneously a valid image file as well as something else. I know I've heard of tricks like that in the past. Although that might make it harder to convince the browser/OS to execute it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like