How to Stay Safe from eBay’s Newest Security Vulnerability

Ads by Google

EBay has a reputation for less-than-stellar security practices, and it looks like it’s not going to get better anytime soon. A recently exposed security vulnerability is putting some users in danger, and eBay has decided to issue only a partial fix, instead of a complete one.

Here’s what you need to know about the vulnerability, how it works, and how to stay safe.

Active Content, XSS, and eBay Scams

The particular security vulnerability in question is tied to “active content,” which sellers can embed in their ads. Active content can use a variety of different technologies to make an item description more interesting or useful — it could be a small Flash app, a JavaScript menu, a web poll, or anything else that’s embedded and interactive. In the ad pictured below, it’s a script called “xsellgalleryscript” that tries to get you to buy other items from the seller.


In most cases, active content is totally safe. It’s mildly annoying, but safe. However, with cross-site scripting (XSS), a script that’s housed on another site can be loaded on an eBay page, and that script could be anything — it could download malware, attempt to phish your user credentials, or create other kinds of mayhem. Of course, because this attack is a rather common one, eBay uses filters that attempt to prevent it.

Unfortunately, someone found a way through. It uses a technique called JSF*ck, a fascinating way to write JavaScript code using only six characters: []()!+. With two brackets, two parentheses, an exclamation point, and a plus sign, you can create and run any JavaScript code.

Ads by Google


It’s a fun exercise, like the Brainf**k programming language. But it can also be used to get by eBay’s filters.

A cybersecurity firm called Check Point first reported this vulnerability, and stated that it could be used on the desktop site or through the iOS or Android apps to download malware or redirect users to phishing pages where they may inadvertently give away user credentials. Here’s a video of an attack in action:

Check Point demonstrated and reported this vulnerability to eBay in December 2015, expecting that they would update their software to prevent the exploit. According to BBC, eBay told Check Point in January that they had no plans to fix the vulnerability, but that they implemented a partial fix in February. Why just a partial fix? “[I]t’s important to understand that malicious content on our marketplace is extraordinarily uncommon,” eBay told the BBC.

Despite eBay’s insistence that the risk of this type of attack is extremely low, security firm Netcraft reported that it was being actively used to phish potential buyers’ email addresses and encourage them to complete payment via a fake escrow service. And the scam worked — Netcraft has shared screenshots of an upset user’s petition for help after being told by eBay, the police, and his bank that they couldn’t help him.

How to Protect Yourself from the XSS Vulnerability on eBay

As long as eBay doesn’t totally fix this problem, there’s a chance that you could run into a listing that a scammer has compromised and put yourself at risk. There are a few things you can do to decrease your risk of being caught out, however.

The first thing you should do is make sure that you’re using a click-to-play ability in your browser. Chrome has this ability built in, Firefox has the popular NoScript extension, and Safari users can install JS Blocker 5. This will prevent any scripts from loading unless you specifically give them permission. You shouldn’t need to load them on eBay, but if you do, you can enable them with a single click.


If you enable plugins, you’ll have to be extra vigilant to make sure that you’re not being taken advantage of. Whenever you’re about to click a Buy It NowMake Offer, or Bid link on eBay, make sure that the URL in your browser is, and not something else. If you’re being phished, the domain will be something other than

If you’re using an eBay mobile app, make sure to double-check the URL of any linked page, especially if it’s asking you for eBay login information. And don’t download any other apps! The eBay app will not encourage you to download something else. As Brian Krebs, one of the best security bloggers out there, says in his 3 Basic Rules for Online Safety, if you didn’t go looking for it, don’t install it!


Beyond this, it’s standard online marketplace safety stuff. Only communicate through the website, and not through email, no matter what. Don’t click on links in emails from eBay, just go to in case the email came from a scammer. Check to see if links on the site are safe before you use them. Use a strong password, and change it regularly. All of the regular “keep yourself safe” tips that we share all the time apply here, too.

Don’t Get Caught by this eBay Cross-Site Scripting Scam

Protecting yourself from scams on eBay requires a bit of vigilance and a little proactive prevention. Between using a script-blocking browser or extension, watching for suspicious URLs, and making sure to watch out for strange downloads or requests, you should be totally fine, even if eBay doesn’t fix this vulnerability (which they likely won’t, at least for a while). So take a couple quick steps, and get back to saving tons of money by shopping on eBay!

Do you shop on eBay? Does their record of non-action on security vulnerabilities worry you? Are you less likely to shop there because they haven’t responded well to the reporting of this particular bug? Share your thoughts below!

Image Credits:hacker by Photosani via Shutterstock

Join live MakeUseOf Groups on Grouvi App Join live Groups on Grouvi
Best Anonymity Tools
Best Anonymity Tools
920 Members
Online Security Tips
Online Security Tips
412 Members
Tips for Privacy Obsessed
Tips for Privacy Obsessed
401 Members
New Security Breaches
New Security Breaches
234 Members
Affiliate Disclamer

This article may contain affiliate links, which pays us a small compensation if you do decide to make a purchase based on our recommendation. Our judgement is in no way biased, and our recommendations are always based on the merits of the items.

For more details, please read our disclosure.
New comment

Please login to avoid entering captcha

Log In