Affiliate Disclosure: By buying the products we recommend, you help keep the lights on at MakeUseOf. Read more.
Buyers shopping for new iPhones have found themselves scammed by criminals employing a cross site scripting vulnerability on eBay listings. Find out how to avoid being caught out by a weakness the auction marketplace should have already patched.
EBay: Another Security Breach
Earlier in 2014, we learned that eBay had been hacked, with millions of usernames and passwords potentially revealed to cyber criminals in a leak that the online auction service somehow failed to reveal for several months. The company is already facing a class action lawsuit in the USA concerning this event.
This week (just days after a seven hour outage hit sellers) researchers discovered that eBay security has been breached again, this time by manipulating the cross site scripting vulnerability, a weakness that should have been patched a long time ago.
By clicking on the link for an iPhone, the user would then be taken to an eBay login page, where their username and password would be requested, which the user would have to enter before getting the opportunity to buy the device. Except, there was no device, and the buyers weren’t on eBay anymore.
Here’s a video explaining the vulnerability, which was discovered by Paul Kerr, from Alloa in Clackmannanshire.
What this means is that it was possible for scammers to use a relatively simple technique to take you out of the genuine eBay site to a convincing spoof (essentially a clone of eBay), a phishing site where your payment details are taken and used for criminal purposes.
What Is Cross-Site Scripting?
Cross-site scripting (also known as XSS) is a vulnerability first recorded in the 1990s and by 2007 accounted for 84% of online weaknesses documented by Symantec (opens PDF file). We’ve previously explained why this is such a threat to websites.
Causing havoc with a site that is open to attack from XSS is often as simple as inputting code into a form (or in some cases, the address bar) that can be used to overwhelm the website, hack the database or, as in the case with eBay, divert the customer to a different site entirely.
There are two types of XSS, non-persistent and persistent. In the case of the eBay attack, the attacker’s data was saved on the eBay server, meaning that the same links were introduced to various users, taking them all away from the comparative safety of eBay to the spoof sites constructed to record their data.
Regardless of the type of XSS used, however, the dangerous code should have been stripped when it was submitted. This is a basic aspect of website security, and the fact that eBay somehow overlooked this is a scandal.
How EBay Dealt With This Breach
EBay spoke to the BBC about the breach, which the company essentially played down.
“This report relates only to a ‘single item listing’ on eBay.co.uk whereby the user has included a link which redirects users away from the listing page […] We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links.”
However the BBC identified three such listings before they were removed by eBay.
Just as concerning as the discovery of an age-old vulnerability is the company’s response time. Kerr reports that he was advised by the eBay employee he spoke to on the phone that the matter would be dealt with immediately, but somehow it took 12 hours and a BBC phone call for any action to be taken.
There is also no confirmation that the vulnerability has been patched, or how often it has been employed by scammers in the past. Perhaps more worryingly, eBay’s PR department doesn’t even bother to provide an official narrative for the problem (or, indeed, confirm its existence).
EBay customers surely deserve better than this.
What You Should Do Now: Stay Away From EBay
Until eBay is able to deal with this breach AND introduce a policy of transparency concerning future security issues, we would suggest that you give the site a wide berth. This is assuming you haven’t already cancelled your account following the previous breach, that is.
If you think you have been caught in a similar scam using XSS code in eBay listings to divert you away from the site, and have submitted personal information to a phishing site as a result, you should head to www.ebay.com straightaway to change your username and password. If credit card information was submitted, contact your credit card company, and if you used PayPal, check your account.
EBay: It’s Time To Change
EBay in its current form is living on borrowed time. Unless its management changes the culture concerning communication with its users about security matters of importance, trust is going to deteriorate further. During 2014, we’ve seen several offers of free listings on weekends, the introduction of 50 free listings a month, and most recently competitions to giveaway 10,000 free listings.
Could these be an attempt to maintain interest in a site that people are walking away from?
Whatever the case, after two major security breaches in the space of just a few months, MakeUseOf advises its readers to find reputable sellers and secure marketplaces away from eBay, or even buy offline until changes are made.
How do you feel about eBay now? Will you keep using the online auction marketplace, or has this news turned you off for good? Tell us your thoughts below.