eBay XSS infected listings still on the site
Since we wrote about the eBay XSS vulnerability last week we’ve been inundated with readers telling us that the issue has not only been around for months, but still exists and is yet to be patched.
This weekend when browsing on eBay we came across just such a listing for an iPhone. Here’s the screen shots we captured and even though the listing was live in search results on the listing page which was briefly visible before the redirect took place, it appears that the listing was ended.
We can only conclude that ended listings are as unsafe as live listings if they’ve been compromised and that in this instance the ended listing hasn’t been removed from eBay so is still viewable.
Screen shots of eBay XSS redirect vulnerability
As of Sunday evening this ended listing (Item number 171468736109 Please do NOT browse to it and in no circumstances enter you eBay user name and password) is still viewable on eBay.
We’d like to emphasis that this isn’t eBay itself that’s been hacked. It is a listing by listing issue and it arses from criminals inserting dodgy code into the eBay description. That’s not to say that it shouldn’t happen, but the reality is that it does. However it’s the kind of code which should be stripped out of eBay descriptions to prevent the possibility of phishing attacks of this sort.
It’s not been a good year for eBay, what with the password reset issue and repeated site outages. Continued XSS issues is the last thing they need in the press in the run up to Christmas.
Item 111468620012 is the same
Why haven’t eBay removed these listings/accounts
We reported these in April as site interference & again with Dublin CS & it took 3 days before the listing was removed
eBay don’t remove these things because;
A. They are organised to believe all sellers are lying.
B. All buyers are telling the truth.
C. They make money from these activities through listing fees.
D. They really are too big for their boots and completely unaware of what goes on in the real world outside their shareholder interests.
See current BBC news story for details. One man there was billed £35 for listings on his account. No evidence that eBay gave a thought to his complaint. Eventually he’ll have all sorts of grief with this I imagine.
BBC teletext business news now reports that over 100 listings have been picked up with this security issue. This could be snowballing out of control. Would suggest that anybody viewing competively priced listings of “in demand” products treat the listings with caution as they may be spoofs created using a hacked account.
WOW? Teletext? Do you mean it still exists?
And you actually read it?
Don’t you have Internet yet?
Try using the text button on your TV remote. The content may surprise you and it is free!
Some of us even read…Newspapers and on occasions Magazines and as a Bookseller I’ve even been known to read….Books.
ohhh it is still available 111468620012
I have a great idea.
Why don’t eBay techky people stop screwing around with their so called improvements, fix this issue, repair the many other pages that now don’t load/work/blank/BLANK, etc and take redundancy? Or just simply fire the lot for being idiots.
eBay would save millions, the site would actually work, and we would all be happy.
Nahh, dont’t be silly, thats far too simple!!