eBay listing compromised with XSS vulnerability

No primary category set

Hacking CodeeBay listings for iPhones have been infected with a cross site scripting (XSS) attack, causing users that clicked on them to be redirected to a fake eBay sign in page. Doubtless many users clicking on the listings would have inadvertently entered their user name and password giving hackers full access to their eBay accounts.

eBay told us “The eBay corporate network has not been compromised. This appears to be a case of abuse by a user who placed malicious links within a few product listings on eBay.co.uk. We take the safety of our marketplace very seriously and remove listings that are in violation of our policy on third-party links“.

Needless to say the listings have been taken down. The BBC say that in addition to the first listing reported they found two additional suspect listings. However eBay removed the second and third listing before the BBC had time to verify that they were also compromised with the XSS code.

I’m no techie and haven’t a clue how malicious scripts could be inserted into listings without eBay spotting and blocking the listing. eBay serve item descriptions in a separate frame to help avoid this type of issue. However hacking and phishing always has and always will be a race between the bad guys and the good guys.

If you think your account has been compromised then contact eBay – they’re actually pretty hot on restoring accounts to the rightful owner and identifying any illicit activity and log ins from unverified locations.

It’s also worth emphasising that eBay itself was not hacked as in the case which prompted the password reset for all users. This was an isolated case of one user ID inserting malicious script into a couple of listings, so unless you saw, clicked on them and entered your user name and password you’re safe.

5 Responses

  1. I think that eBay should really have a worldwide banned evil Russian hackers from using the auction site for malicious purposes. This is simply not cool! Not hackers should not hack eBay for fun.


eBay generative AI-powered Shop the Look

eBay generative AI-powered Shop the Look

eBay acquire Goldin, sell eBay Vault

eBay acquire Goldin, sell eBay Vault

eBay Roadshow Leicester - 18th April

eBay Roadshow Leicester – 18th April

Yodel acquired by newly formed YDLGP with Shift/Tuffnells - Yodel Store to door

Yodel Store to Door available on eBay Shipping

Fashion selling now free on eBay for private sellers

Fashion selling now free on eBay for private sellers

ChannelX Guide...

Featured in this article from the ChannelX Guide – companies that can help you grow and manage your business.


Take a look through a selection of the latest articles on ChannelX

Register for Newsletter

Receive 5 newsletters per week

Gain access to all research

Be notified of upcoming events and webinars