Since we wrote about the eBay XSS vulnerability last week we’ve been inundated with readers telling us that the issue has not only been around for months, but still exists and is yet to be patched.
We’ve had comments such as “I think it’s time eBay stopped allowing the use of javascript and Flash on listings” and “I told eBay months ago but they’ve still done nothing about it”.
This weekend when browsing on eBay we came across just such a listing for an iPhone. Here’s the screen shots we captured and even though the listing was live in search results on the listing page which was briefly visible before the redirect took place, it appears that the listing was ended.
We can only conclude that ended listings are as unsafe as live listings if they’ve been compromised and that in this instance the ended listing hasn’t been removed from eBay so is still viewable.
Screen shots of eBay XSS redirect vulnerability
eBay search results – eBay ended listing – redirect to glb.org.br – redirect to password phishing site
As of Sunday evening this ended listing (Item number 171468736109 Please do NOT browse to it and in no circumstances enter you eBay user name and password) is still viewable on eBay.
We’d like to emphasis that this isn’t eBay itself that’s been hacked. It is a listing by listing issue and it arses from criminals inserting dodgy code into the eBay description. That’s not to say that it shouldn’t happen, but the reality is that it does. However it’s the kind of code which should be stripped out of eBay descriptions to prevent the possibility of phishing attacks of this sort.
It’s not been a good year for eBay, what with the password reset issue and repeated site outages. Continued XSS issues is the last thing they need in the press in the run up to Christmas.
8 Responses
Item 111468620012 is the same
Why haven’t eBay removed these listings/accounts
We reported these in April as site interference & again with Dublin CS & it took 3 days before the listing was removed
eBay don’t remove these things because;
A. They are organised to believe all sellers are lying.
B. All buyers are telling the truth.
C. They make money from these activities through listing fees.
D. They really are too big for their boots and completely unaware of what goes on in the real world outside their shareholder interests.
See current BBC news story for details. One man there was billed £35 for listings on his account. No evidence that eBay gave a thought to his complaint. Eventually he’ll have all sorts of grief with this I imagine.
https://www.bbc.co.uk/news/technology-29310042
BBC teletext business news now reports that over 100 listings have been picked up with this security issue. This could be snowballing out of control. Would suggest that anybody viewing competively priced listings of “in demand” products treat the listings with caution as they may be spoofs created using a hacked account.
ohhh it is still available 111468620012
I have a great idea.
Why don’t eBay techky people stop screwing around with their so called improvements, fix this issue, repair the many other pages that now don’t load/work/blank/BLANK, etc and take redundancy? Or just simply fire the lot for being idiots.
eBay would save millions, the site would actually work, and we would all be happy.
Nahh, dont’t be silly, thats far too simple!!