Web Application Security
Back to list
*Note: Email address will appear as "user domain ext" to prevent harvesting.
Ebay, Inc Bug Bounty - GoStoreGo Administrative Authentication Bypass to all online stores
Feb 12 2014 08:36PM
Mark Litchfield (mark securatary com)
This attack allowed for a cross store (so essentially unauthenticated,
as we have not authenticated to our target store) privilege escalation
attack creating an administrative user on any *.gostorego.com store.
As indicated by their own website, there are over 200,000 active
stores.This attack a...
[ more ]
Copyright 2010, SecurityFocus