eBay listing compromised with XSS vulnerability
eBay listings for iPhones have been infected with a cross site scripting (XSS) attack, causing users that clicked on them to be redirected to a fake eBay sign in page. Doubtless many users clicking on the listings would have inadvertently entered their user name and password giving hackers full access to their eBay accounts.
eBay told us “The eBay corporate network has not been compromised. This appears to be a case of abuse by a user who placed malicious links within a few product listings on eBay.co.uk. We take the safety of our marketplace very seriously and remove listings that are in violation of our policy on third-party links“.
Needless to say the listings have been taken down. The BBC say that in addition to the first listing reported they found two additional suspect listings. However eBay removed the second and third listing before the BBC had time to verify that they were also compromised with the XSS code.
I’m no techie and haven’t a clue how malicious scripts could be inserted into listings without eBay spotting and blocking the listing. eBay serve item descriptions in a separate frame to help avoid this type of issue. However hacking and phishing always has and always will be a race between the bad guys and the good guys.
If you think your account has been compromised then contact eBay – they’re actually pretty hot on restoring accounts to the rightful owner and identifying any illicit activity and log ins from unverified locations.
It’s also worth emphasising that eBay itself was not hacked as in the case which prompted the password reset for all users. This was an isolated case of one user ID inserting malicious script into a couple of listings, so unless you saw, clicked on them and entered your user name and password you’re safe.
However you look at this it’s another chink chink at confidence in eBay. They’re having a bad year.
I think that eBay should really have a worldwide banned evil Russian hackers from using the auction site for malicious purposes. This is simply not cool! Not hackers should not hack eBay for fun.
BBC reports it was more serious than first glance.
According to BBC the flaw has existed for months and eBay was aware of it but as usual did nothing.
Yep..but hey! A bit of spin doesn’t hurt..