Share:
POST
TWEET
SHARE
SHARE
EMAIL

eBay XSS infected listings still on the site

By Chris Dawson September 22, 2014 - 8:39 am

Since we wrote about the eBay XSS vulnerability last week we’ve been inundated with readers telling us that the issue has not only been around for months, but still exists and is yet to be patched.

We’ve had comments such as “I think it’s time eBay stopped allowing the use of javascript and Flash on listings” and “I told eBay months ago but they’ve still done nothing about it”.

This weekend when browsing on eBay we came across just such a listing for an iPhone. Here’s the screen shots we captured and even though the listing was live in search results on the listing page which was briefly visible before the redirect took place, it appears that the listing was ended.

We can only conclude that ended listings are as unsafe as live listings if they’ve been compromised and that in this instance the ended listing hasn’t been removed from eBay so is still viewable.

Screen shots of eBay XSS redirect vulnerability

eBay search results – eBay ended listing – redirect to glb.org.br – redirect to password phishing site
eBay-Hacked-Listing

As of Sunday evening this ended listing (Item number 171468736109 Please do NOT browse to it and in no circumstances enter you eBay user name and password) is still viewable on eBay.

We’d like to emphasis that this isn’t eBay itself that’s been hacked. It is a listing by listing issue and it arses from criminals inserting dodgy code into the eBay description. That’s not to say that it shouldn’t happen, but the reality is that it does. However it’s the kind of code which should be stripped out of eBay descriptions to prevent the possibility of phishing attacks of this sort.

It’s not been a good year for eBay, what with the password reset issue and repeated site outages. Continued XSS issues is the last thing they need in the press in the run up to Christmas.

  • Toby
    3 years ago

    Item 111468620012 is the same
    Why haven’t eBay removed these listings/accounts
    We reported these in April as site interference & again with Dublin CS & it took 3 days before the listing was removed

  • TC1842
    3 years ago

    eBay don’t remove these things because;

    A. They are organised to believe all sellers are lying.
    B. All buyers are telling the truth.
    C. They make money from these activities through listing fees.
    D. They really are too big for their boots and completely unaware of what goes on in the real world outside their shareholder interests.

    See current BBC news story for details. One man there was billed £35 for listings on his account. No evidence that eBay gave a thought to his complaint. Eventually he’ll have all sorts of grief with this I imagine.

    http://www.bbc.co.uk/news/technology-29310042

  • Gary
    3 years ago

    BBC teletext business news now reports that over 100 listings have been picked up with this security issue. This could be snowballing out of control. Would suggest that anybody viewing competively priced listings of “in demand” products treat the listings with caution as they may be spoofs created using a hacked account.

    • Steve
      3 years ago

      WOW? Teletext? Do you mean it still exists?

      And you actually read it?

      Don’t you have Internet yet?

    • Gary
      3 years ago

      Try using the text button on your TV remote. The content may surprise you and it is free!

    • 3 years ago

      Some of us even read…Newspapers and on occasions Magazines and as a Bookseller I’ve even been known to read….Books.

  • mobin
    3 years ago

    ohhh it is still available 111468620012

  • Steve
    3 years ago

    I have a great idea.

    Why don’t eBay techky people stop screwing around with their so called improvements, fix this issue, repair the many other pages that now don’t load/work/blank/BLANK, etc and take redundancy? Or just simply fire the lot for being idiots.

    eBay would save millions, the site would actually work, and we would all be happy.

    Nahh, dont’t be silly, thats far too simple!!

Recent Comments

50 mins ago
Phil Brittain: Id also be interested to hear what your reader, or anyone else uses when selecting...
57 mins ago
Phil Brittain: As someone who transferred over to DMO when it was first rolled out some time...
1 hour ago
northumbrian: dont need to retire just join the labour party and money grows on trees...
3 hours ago
Kieran: This is all well and good but in my view this is a bit like...
7 hours ago
Dan Wilson: If you were retired and earning the minimum wage, you'd be quids in. You would...