eBay listing compromised with XSS vulnerability

By Chris Dawson September 17, 2014 - 9:00 pm

Hacking CodeeBay listings for iPhones have been infected with a cross site scripting (XSS) attack, causing users that clicked on them to be redirected to a fake eBay sign in page. Doubtless many users clicking on the listings would have inadvertently entered their user name and password giving hackers full access to their eBay accounts.

eBay told us “The eBay corporate network has not been compromised. This appears to be a case of abuse by a user who placed malicious links within a few product listings on We take the safety of our marketplace very seriously and remove listings that are in violation of our policy on third-party links“.

Needless to say the listings have been taken down. The BBC say that in addition to the first listing reported they found two additional suspect listings. However eBay removed the second and third listing before the BBC had time to verify that they were also compromised with the XSS code.

I’m no techie and haven’t a clue how malicious scripts could be inserted into listings without eBay spotting and blocking the listing. eBay serve item descriptions in a separate frame to help avoid this type of issue. However hacking and phishing always has and always will be a race between the bad guys and the good guys.

If you think your account has been compromised then contact eBay – they’re actually pretty hot on restoring accounts to the rightful owner and identifying any illicit activity and log ins from unverified locations.

It’s also worth emphasising that eBay itself was not hacked as in the case which prompted the password reset for all users. This was an isolated case of one user ID inserting malicious script into a couple of listings, so unless you saw, clicked on them and entered your user name and password you’re safe.

  • 5 years ago

    However you look at this it’s another chink chink at confidence in eBay. They’re having a bad year.

  • John Smith
    5 years ago

    I think that eBay should really have a worldwide banned evil Russian hackers from using the auction site for malicious purposes. This is simply not cool! Not hackers should not hack eBay for fun.

  • 5 years ago

    BBC reports it was more serious than first glance.

  • Lucas
    5 years ago

    According to BBC the flaw has existed for months and eBay was aware of it but as usual did nothing.

  • John
    5 years ago

    Yep..but hey! A bit of spin doesn’t hurt..
    Does it?

Featured in this article from the Tamebay Guide – companies that can help you grow and manage your business.


eBay’s mission is to be the world’s favourite destination for discovering great value and unique selection

See More Companies >

Recent Comments

2 hours ago
David Brackin: We have 1,298 listings which have failed and are not live on eBay at the...
4 hours ago
andy: You can't bulk edit items today either, only max 200 per page instead of up...
4 hours ago
jim: what i see is an Ebid with conscience where you off load all your dead...
4 hours ago
Alan Peterson: I would be interested to know which other categories have been affected. We are unable...