eBay XSS infected listings still on the site

Since we wrote about the eBay XSS vulnerability last week we’ve been inundated with readers telling us that the issue has not only been around for months, but still exists and is yet to be patched.

We’ve had comments such as “I think it’s time eBay stopped allowing the use of javascript and Flash on listings” and “I told eBay months ago but they’ve still done nothing about it”.

This weekend when browsing on eBay we came across just such a listing for an iPhone. Here’s the screen shots we captured and even though the listing was live in search results on the listing page which was briefly visible before the redirect took place, it appears that the listing was ended.

We can only conclude that ended listings are as unsafe as live listings if they’ve been compromised and that in this instance the ended listing hasn’t been removed from eBay so is still viewable.

Screen shots of eBay XSS redirect vulnerability

eBay search results – eBay ended listing – redirect to glb.org.br – redirect to password phishing site

As of Sunday evening this ended listing (Item number 171468736109 Please do NOT browse to it and in no circumstances enter you eBay user name and password) is still viewable on eBay.

We’d like to emphasis that this isn’t eBay itself that’s been hacked. It is a listing by listing issue and it arses from criminals inserting dodgy code into the eBay description. That’s not to say that it shouldn’t happen, but the reality is that it does. However it’s the kind of code which should be stripped out of eBay descriptions to prevent the possibility of phishing attacks of this sort.

It’s not been a good year for eBay, what with the password reset issue and repeated site outages. Continued XSS issues is the last thing they need in the press in the run up to Christmas.