eBay cross-scripting vulnerability exploited

By on
eBay cross-scripting vulnerability exploited
Example of eBay cross-scripting in auctions.

Auction site slow to respond.

Scammers are exploiting cross-scripting vulnerabilities on the website of online auction giant eBay in order to redirect users to capture their credentials.

The malicious listing was discovered by Briton Paul Kerr, as first reported by the BBC, who noticed that an auction for an Apple iPhone 5s redirected to a bogus site that asked him to enter his eBay credentials.

The auction in question contained Javascript to redirect users to the credentials-stealing website.

eBay was notified about the malicious listing and two further auctions, but took over twelve hours to take them down.

Paul Kerr demonstrates the malicious eBay auction he discovered.

The security hole appears to have been in existence for several months. In May this year, German-language news site Golem.de reported a researcher had notified eBay that it was possible to compromise user accounts with malicious Javascript as well as Adobe Flash code in auctions.

At the time, eBay said it would not prevent active content in auctions and that it had technological solutions in place to protect users against malicious code.

eBay has been plagued by a string of security issues over the past 12 months, including a May hack that saw attackers access a database with customer details and which led to a joint investigation by three American states into its security practices.

Legal action related to the incident commenced in the United States against eBay in July this year, alleging the company was slow to respond to the security breach and failed to protect private information of customers.

eBay Australia has been contacted for comment.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?