eBay listing compromised with XSS vulnerability

eBay listings for iPhones have been infected with a cross site scripting (XSS) attack, causing users that clicked on them to be redirected to a fake eBay sign in page. Doubtless many users clicking on the listings would have inadvertently entered their user name and password giving hackers full access to their eBay accounts.

eBay told us “The eBay corporate network has not been compromised. This appears to be a case of abuse by a user who placed malicious links within a few product listings on eBay.co.uk. We take the safety of our marketplace very seriously and remove listings that are in violation of our policy on third-party links“.

Needless to say the listings have been taken down. The BBC say that in addition to the first listing reported they found two additional suspect listings. However eBay removed the second and third listing before the BBC had time to verify that they were also compromised with the XSS code.

I’m no techie and haven’t a clue how malicious scripts could be inserted into listings without eBay spotting and blocking the listing. eBay serve item descriptions in a separate frame to help avoid this type of issue. However hacking and phishing always has and always will be a race between the bad guys and the good guys.

If you think your account has been compromised then contact eBay – they’re actually pretty hot on restoring accounts to the rightful owner and identifying any illicit activity and log ins from unverified locations.

It’s also worth emphasising that eBay itself was not hacked as in the case which prompted the password reset for all users. This was an isolated case of one user ID inserting malicious script into a couple of listings, so unless you saw, clicked on them and entered your user name and password you’re safe.