Scammers are exploiting cross-scripting vulnerabilities on the website of online auction giant eBay in order to redirect users to capture their credentials.
The malicious listing was discovered by Briton Paul Kerr, as first reported by the BBC, who noticed that an auction for an Apple iPhone 5s redirected to a bogus site that asked him to enter his eBay credentials.
The auction in question contained Javascript to redirect users to the credentials-stealing website.
eBay was notified about the malicious listing and two further auctions, but took over twelve hours to take them down.
Paul Kerr demonstrates the malicious eBay auction he discovered.
The security hole appears to have been in existence for several months. In May this year, German-language news site Golem.de reported a researcher had notified eBay that it was possible to compromise user accounts with malicious Javascript as well as Adobe Flash code in auctions.
At the time, eBay said it would not prevent active content in auctions and that it had technological solutions in place to protect users against malicious code.
eBay has been plagued by a string of security issues over the past 12 months, including a May hack that saw attackers access a database with customer details and which led to a joint investigation by three American states into its security practices.
Legal action related to the incident commenced in the United States against eBay in July this year, alleging the company was slow to respond to the security breach and failed to protect private information of customers.
eBay Australia has been contacted for comment.
.png&w=120&c=1&s=0)
EDUtech AU
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
