Pinterest Stumbleupon Whatsapp
Ads by Google

Buyers shopping for new iPhones have found themselves scammed by criminals employing a cross site scripting vulnerability on eBay listings. Find out how to avoid being caught out by a weakness the auction marketplace should have already patched.

EBay: Another Security Breach

Earlier in 2014, we learned that eBay had been hacked The eBay Data Breach: What You Need To Know The eBay Data Breach: What You Need To Know Read More , with millions of usernames and passwords potentially revealed to cyber criminals in a leak that the online auction service somehow failed to reveal for several months. The company is already facing a class action lawsuit in the USA concerning this event.

This week (just days after a seven hour outage hit sellers) researchers discovered that eBay security has been breached again, this time by manipulating the cross site scripting vulnerability, a weakness that should have been patched a long time ago.

By clicking on the link for an iPhone, the user would then be taken to an eBay login page, where their username and password would be requested, which the user would have to enter before getting the opportunity to buy the device. Except, there was no device, and the buyers weren’t on eBay anymore.

Here’s a video explaining the vulnerability, which was discovered by Paul Kerr, from Alloa in Clackmannanshire.

Ads by Google

What this means is that it was possible for scammers to use a relatively simple technique to take you out of the genuine eBay site to a convincing spoof (essentially a clone of eBay), a phishing site What Exactly Is Phishing & What Techniques Are Scammers Using? What Exactly Is Phishing & What Techniques Are Scammers Using? I’ve never been a fan of fishing, myself. This is mostly because of an early expedition where my cousin managed to catch two fish while I caught zip. Similar to real-life fishing, phishing scams aren’t... Read More where your payment details are taken and used for criminal purposes.

What Is Cross-Site Scripting?

Cross-site scripting (also known as XSS) is a vulnerability first recorded in the 1990s and by 2007 accounted for 84% of online weaknesses documented by Symantec (opens PDF file). We’ve previously explained why this is such a threat to websites What's Cross-Site Scripting (XSS), & Why It Is A Security Threat What's Cross-Site Scripting (XSS), & Why It Is A Security Threat Cross-site scripting vulnerabilities are the biggest website security problem today. Studies have found they’re shockingly common – 55% of websites contained XSS vulnerabilities in 2011, according to White Hat Security’s latest report, released in June... Read More .

Causing havoc with a site that is open to attack from XSS is often as simple as inputting code into a form (or in some cases, the address bar) that can be used to overwhelm the website, hack the database or, as in the case with eBay, divert the customer to a different site entirely.

muo-ebayXSS-hacker

There are two types of XSS, non-persistent and persistent. In the case of the eBay attack, the attacker’s data was saved on the eBay server, meaning that the same links were introduced to various users, taking them all away from the comparative safety of eBay to the spoof sites constructed to record their data.

Regardless of the type of XSS used, however, the dangerous code should have been stripped when it was submitted. This is a basic aspect of website security, and the fact that eBay somehow overlooked this is a scandal.

How EBay Dealt With This Breach

EBay spoke to the BBC about the breach, which the company essentially played down.

“This report relates only to a ‘single item listing’ on eBay.co.uk whereby the user has included a link which redirects users away from the listing page […] We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links.”

However the BBC identified three such listings before they were removed by eBay.

muo-ebayXSS-logo

Just as concerning as the discovery of an age-old vulnerability is the company’s response time. Kerr reports that he was advised by the eBay employee he spoke to on the phone that the matter would be dealt with immediately, but somehow it took 12 hours and a BBC phone call for any action to be taken.

There is also no confirmation that the vulnerability has been patched, or how often it has been employed by scammers in the past. Perhaps more worryingly, eBay’s PR department doesn’t even bother to provide an official narrative for the problem (or, indeed, confirm its existence).

EBay customers surely deserve better than this.

What You Should Do Now: Stay Away From EBay

Until eBay is able to deal with this breach AND introduce a policy of transparency concerning future security issues, we would suggest that you give the site a wide berth. This is assuming you haven’t already cancelled your account following the previous breach, that is.

If you think you have been caught in a similar scam using XSS code in eBay listings to divert you away from the site, and have submitted personal information to a phishing site as a result, you should head to www.ebay.com straightaway to change your username and password. If credit card information was submitted, contact your credit card company, and if you used PayPal, check your account.

EBay: It’s Time To Change

muo-ebayXSS-clock

EBay in its current form is living on borrowed time. Unless its management changes the culture concerning communication with its users about security matters of importance, trust is going to deteriorate further. During 2014, we’ve seen several offers of free listings on weekends, the introduction of 50 free listings a month, and most recently competitions to giveaway 10,000 free listings.

Could these be an attempt to maintain interest in a site that people are walking away from?

Whatever the case, after two major security breaches in the space of just a few months, MakeUseOf advises its readers to find reputable sellers and secure marketplaces away from eBay, or even buy offline until changes are made.

How do you feel about eBay now? Will you keep using the online auction marketplace, or has this news turned you off for good? Tell us your thoughts below.

Image Credits: Hacker using laptop via Shutterstock, Retro alarm clock via Shutterstock, eBay logo via Nclm

  1. Dana Bostick
    September 22, 2014 at 3:50 pm

    EBay's handling of security is shameful. This is just another example of their criminally casual handling of these types of things.

    In addition, in my opinion, in an attempt to compete with Amazon, eBay has gone way overboard on their commitment to service BUYERS to the severe detriment of the Sellers. They have implemented many policies that essentially make it a walk in the park to scam a seller out of their product and get a refund at the same time. This is a double injury for a seller and eBay does absolutely nothing to protect the sellers from this type of activity.

  2. Steve K-E
    September 21, 2014 at 8:30 pm

    Microsoft provided advice on preventing cross-site scripting issues way back in the Windows 2000-era:
    - http://support.microsoft.com/kb/252985

    IBM provided advice on it back in July 2013:
    - http://www.ibm.com/developerworks/library/se-prevent/

    Computer Weekly did the same (free registration required):
    - http://www.computerweekly.com/tip/Cross-site-scripting-explained-How-to-prevent-XSS-attacks

    Google mention it:
    - http://www.google.co.uk/about/appsecurity/learning/xss/

    5. The "For Dummies" Website:
    - http://www.dummies.com/how-to/content/crosssite-scripting-hacks-in-web-applications.html

    Some useful reading in "real" books:
    - O'Reilly Books: "PHP Cookbook" by David Sklar & Adam Trachtenberg: http://shop.oreilly.com/product/9781565926813.do
    - O'Reilly Books: "Learning PHP, MySQL & Javascript" by Robin Nixon: http://shop.oreilly.com/product/9780596157142.do
    - O'Reilly Books: "Essential PHP Security" by Chris Shiflett: http://shop.oreilly.com/product/9780596006563.do

    ... I could go on! All eBay need to do is a simple web search for "how to prevent cross site scripting" and they'll find plenty of similar articles - I just chose 4 well-known, trustworthy sites above!

    Perhaps someone could let eBay know? In fact, I have contacted them with a suggestion that they get their programmers might like to look at them.

    I know that I won't get a reply, but as every suggestion is meant to be read, I presume someone might get an idea - especially as I suggested that myself and friends may be considering giving up on them!

Leave a Reply

Your email address will not be published. Required fields are marked *