eBay listing compromised with XSS vulnerability

eBay listings for iPhones have been infected with a cross site scripting (XSS) attack, causing users that clicked on them to be redirected to a fake eBay sign in page. Doubtless many users clicking on the listings would have inadvertently entered their user name and password giving hackers full access to their eBay accounts.

eBay told us “The eBay corporate network has not been compromised. This appears to be a case of abuse by a user who placed malicious links within a few product listings on eBay.co.uk. We take the safety of our marketplace very seriously and remove listings that are in violation of our policy on third-party links“.

Needless to say the listings have been taken down. The BBC say that in addition to the first listing reported they found two additional suspect listings. However eBay removed the second and third listing before the BBC had time to verify that they were also compromised with the XSS code.

I’m no techie and haven’t a clue how malicious scripts could be inserted into listings without eBay spotting and blocking the listing. eBay serve item descriptions in a separate frame to help avoid this type of issue. However hacking and phishing always has and always will be a race between the bad guys and the good guys.

If you think your account has been compromised then contact eBay – they’re actually pretty hot on restoring accounts to the rightful owner and identifying any illicit activity and log ins from unverified locations.

It’s also worth emphasising that eBay itself was not hacked as in the case which prompted the password reset for all users. This was an isolated case of one user ID inserting malicious script into a couple of listings, so unless you saw, clicked on them and entered your user name and password you’re safe.

0 likes0 dislikes

Comments

However you look at this it's another chink chink at confidence in eBay. They're having a bad year.

Dan Wilson • 17th September 2014 •

I think that eBay should really have a worldwide banned evil Russian hackers from using the auction site for malicious purposes. This is simply not cool! Not hackers should not hack eBay for fun.

John Smith • 18th September 2014 •

BBC reports it was more serious than first glance. https://www.bbc.com/news/technology-29241563

Scott Plutchok • 18th September 2014 •

According to BBC the flaw has existed for months and eBay was aware of it but as usual did nothing. https://www.bbc.co.uk/news/technology-29279213

Lucas • 20th September 2014 •

Yep..but hey! A bit of spin doesn't hurt.. Does it? Eh?

John • 21st September 2014 •