eBay XSS infected listings still on the site

Since we wrote about the eBay XSS vulnerability last week we’ve been inundated with readers telling us that the issue has not only been around for months, but still exists and is yet to be patched.

We’ve had comments such as “I think it’s time eBay stopped allowing the use of javascript and Flash on listings” and “I told eBay months ago but they’ve still done nothing about it”.

This weekend when browsing on eBay we came across just such a listing for an iPhone. Here’s the screen shots we captured and even though the listing was live in search results on the listing page which was briefly visible before the redirect took place, it appears that the listing was ended.

We can only conclude that ended listings are as unsafe as live listings if they’ve been compromised and that in this instance the ended listing hasn’t been removed from eBay so is still viewable.

Screen shots of eBay XSS redirect vulnerability

eBay search results – eBay ended listing – redirect to glb.org.br – redirect to password phishing site

As of Sunday evening this ended listing (Item number 171468736109 Please do NOT browse to it and in no circumstances enter you eBay user name and password) is still viewable on eBay.

We’d like to emphasis that this isn’t eBay itself that’s been hacked. It is a listing by listing issue and it arses from criminals inserting dodgy code into the eBay description. That’s not to say that it shouldn’t happen, but the reality is that it does. However it’s the kind of code which should be stripped out of eBay descriptions to prevent the possibility of phishing attacks of this sort.

It’s not been a good year for eBay, what with the password reset issue and repeated site outages. Continued XSS issues is the last thing they need in the press in the run up to Christmas.

0 likes0 dislikes

Comments

Item 111468620012 is the same Why haven't eBay removed these listings/accounts We reported these in April as site interference & again with Dublin CS & it took 3 days before the listing was removed

Toby • 22nd September 2014 •

eBay don't remove these things because; A. They are organised to believe all sellers are lying. B. All buyers are telling the truth. C. They make money from these activities through listing fees. D. They really are too big for their boots and completely unaware of what goes on in the real world outside their shareholder interests. See current BBC news story for details. One man there was billed £35 for listings on his account. No evidence that eBay gave a thought to his complaint. Eventually he'll have all sorts of grief with this I imagine. https://www.bbc.co.uk/news/technology-29310042

TC1842 • 22nd September 2014 •

BBC teletext business news now reports that over 100 listings have been picked up with this security issue. This could be snowballing out of control. Would suggest that anybody viewing competively priced listings of "in demand" products treat the listings with caution as they may be spoofs created using a hacked account.

Gary • 22nd September 2014 •

WOW? Teletext? Do you mean it still exists? And you actually read it? Don't you have Internet yet?

Steve • 23rd September 2014 •

Try using the text button on your TV remote. The content may surprise you and it is free!

Gary • 23rd September 2014 •

Some of us even read...Newspapers and on occasions Magazines and as a Bookseller I've even been known to read....Books.

Chris T • 23rd September 2014 •

ohhh it is still available 111468620012

mobin • 22nd September 2014 •

I have a great idea. Why don't eBay techky people stop screwing around with their so called improvements, fix this issue, repair the many other pages that now don't load/work/blank/BLANK, etc and take redundancy? Or just simply fire the lot for being idiots. eBay would save millions, the site would actually work, and we would all be happy. Nahh, dont't be silly, thats far too simple!!

Steve • 23rd September 2014 •