Experts Condemn eBay After XSS Attack Puts Users At Risk

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Security experts have condemned the online security at eBay after another attack exposes user data

Security at eBay has once again been compromised after a cross-site scripting (XSS) attack put user’s personal data at risk.

The security breach comes after another serious breach in May, when eBay asked 145 million users to change their passwords after hackers used the credentials of three eBay employees to access the email addresses and encrypted passwords of all users of the site.

Expert Condemnation

The attack on eBay was a cross-site scripting (XSS) attack, in which users were redirected to a spoof website designed to steal their credentials. It is not known at this stage, how many users have been affected, said the BBC.

eBay © Ingvar Bjork, SHutterstock 2014“It would be nice to think that eBay, one of the world’s most popular websites, had its act together when it came to securing its content,” wrote security veteran Graham Cluley. “After all, if a hacker were able to boobytrap auction pages on the site to redirect users to a phishing page that asked them to enter their eBay username and password, that would be a pretty bad thing. Right?”

Cluley highlighted how Paul Kerr, an eBay PowerSeller and IT worker in Scotland, stumbled across some cheap iPhones for sale on eBay. But when clicking on the link, he discovered that users were redirected to another webpage designed to look like the online marketplace’s welcome page. Users were then asked to enter their eBay usernames and passwords.

“eBay clearly dropped the ball by allowing the malicious script to find its way into auction entries – it’s the kind of code which should be stripped out of its pages, so there’s no possibility of any harm being done,” wrote Cluely, who also condemned the tardy response. “But, worse than that, why did it require the BBC to investigate before action was taken?”

Security Concerns

To make matters worse, a spokesman for eBay reportedly played down the scope of the attack.

“This report relates only to a ‘single item listing’ on eBay.co.uk whereby the user has included a link which redirects users away from the listing page,” an eBay spokesman was quoted by the BBC as saying. “We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links.”

However, the BBC reportedly identified that a total of three listings had been posted by the same account involved. At least two of them produced the same redirect behaviour. The third was removed by eBay, along with the other two, before it could be apparently be checked.

This is not the first time that eBay has been exposed. Back in May, the company was forced to admit that the personal details of millions of users had been exposed in an attack. Following that, the UK Information Commissioner’s Office (ICO) said it was coordinating with European authorities to launch a probe into the eBay breach.

eBay is also being investigated by the US states of Connecticut, Florida and Illinois over that attack.

Are you a security pro? Try our quiz!