EBay has a reputation for less-than-stellar security practices, and it looks like it’s not going to get better anytime soon. A recently exposed security vulnerability is putting some users in danger, and eBay has decided to issue only a partial fix, instead of a complete one.
Here’s what you need to know about the vulnerability, how it works, and how to stay safe.
Active Content, XSS, and eBay Scams
In most cases, active content is totally safe. It’s mildly annoying, but safe. However, with cross-site scripting (XSS), a script that’s housed on another site can be loaded on an eBay page, and that script could be anything — it could download malware, attempt to phish your user credentials, or create other kinds of mayhem. Of course, because this attack is a rather common one, eBay uses filters that attempt to prevent it.
It’s a fun exercise, like the Brainf**k programming language. But it can also be used to get by eBay’s filters.
A cybersecurity firm called Check Point first reported this vulnerability, and stated that it could be used on the desktop site or through the iOS or Android apps to download malware or redirect users to phishing pages where they may inadvertently give away user credentials. Here’s a video of an attack in action:
Check Point demonstrated and reported this vulnerability to eBay in December 2015, expecting that they would update their software to prevent the exploit. According to BBC, eBay told Check Point in January that they had no plans to fix the vulnerability, but that they implemented a partial fix in February. Why just a partial fix? “[I]t’s important to understand that malicious content on our marketplace is extraordinarily uncommon,” eBay told the BBC.
Despite eBay’s insistence that the risk of this type of attack is extremely low, security firm Netcraft reported that it was being actively used to phish potential buyers’ email addresses and encourage them to complete payment via a fake escrow service. And the scam worked — Netcraft has shared screenshots of an upset user’s petition for help after being told by eBay, the police, and his bank that they couldn’t help him.
How to Protect Yourself from the XSS Vulnerability on eBay
As long as eBay doesn’t totally fix this problem, there’s a chance that you could run into a listing that a scammer has compromised and put yourself at risk. There are a few things you can do to decrease your risk of being caught out, however.
The first thing you should do is make sure that you’re using a click-to-play ability in your browser. Chrome has this ability built in, Firefox has the popular NoScript extension, and Safari users can install JS Blocker 5. This will prevent any scripts from loading unless you specifically give them permission. You shouldn’t need to load them on eBay, but if you do, you can enable them with a single click.
If you enable plugins, you’ll have to be extra vigilant to make sure that you’re not being taken advantage of. Whenever you’re about to click a Buy It Now, Make Offer, or Bid link on eBay, make sure that the URL in your browser is ebay.com, and not something else. If you’re being phished, the domain will be something other than ebay.com.
If you’re using an eBay mobile app, make sure to double-check the URL of any linked page, especially if it’s asking you for eBay login information. And don’t download any other apps! The eBay app will not encourage you to download something else. As Brian Krebs, one of the best security bloggers out there, says in his 3 Basic Rules for Online Safety, if you didn’t go looking for it, don’t install it!
Beyond this, it’s standard online marketplace safety stuff. Only communicate through the website, and not through email, no matter what. Don’t click on links in emails from eBay, just go to ebay.com in case the email came from a scammer. Check to see if links on the site are safe before you use them. Use a strong password, and change it regularly. All of the regular “keep yourself safe” tips that we share all the time apply here, too.
Don’t Get Caught by this eBay Cross-Site Scripting Scam
Protecting yourself from scams on eBay requires a bit of vigilance and a little proactive prevention. Between using a script-blocking browser or extension, watching for suspicious URLs, and making sure to watch out for strange downloads or requests, you should be totally fine, even if eBay doesn’t fix this vulnerability (which they likely won’t, at least for a while). So take a couple quick steps, and get back to saving tons of money by shopping on eBay!
Do you shop on eBay? Does their record of non-action on security vulnerabilities worry you? Are you less likely to shop there because they haven’t responded well to the reporting of this particular bug? Share your thoughts below!
Image Credits:hacker by Photosani via Shutterstock