How to Stay Safe from eBay’s Newest Security Vulnerability

Dann Albright 02-03-2016

EBay has a reputation for less-than-stellar security practices, and it looks like it’s not going to get better anytime soon. A recently exposed security vulnerability is putting some users in danger, and eBay has decided to issue only a partial fix, instead of a complete one.


Here’s what you need to know about the vulnerability, how it works, and how to stay safe.

Active Content, XSS, and eBay Scams

The particular security vulnerability in question is tied to “active content,” which sellers can embed in their ads. Active content can use a variety of different technologies to make an item description more interesting or useful — it could be a small Flash app, a JavaScript menu, a web poll, or anything else that’s embedded and interactive. In the ad pictured below, it’s a script called “xsellgalleryscript” that tries to get you to buy other items from the seller.


In most cases, active content is totally safe. It’s mildly annoying, but safe. However, with cross-site scripting (XSS) What's Cross-Site Scripting (XSS), & Why It Is A Security Threat Cross-site scripting vulnerabilities are the biggest website security problem today. Studies have found they’re shockingly common – 55% of websites contained XSS vulnerabilities in 2011, according to White Hat Security’s latest report, released in June... Read More , a script that’s housed on another site can be loaded on an eBay page, and that script could be anything — it could download malware, attempt to phish your user credentials, or create other kinds of mayhem. Of course, because this attack is a rather common one, eBay uses filters that attempt to prevent it.

Unfortunately, someone found a way through. It uses a technique called JSF*ck, a fascinating way to write JavaScript code using only six characters: []()!+. With two brackets, two parentheses, an exclamation point, and a plus sign, you can create and run any JavaScript code.



It’s a fun exercise, like the Brainf**k programming language 10 Programming Languages You Probably Never Heard Of There are some very strange and bizarre programming languages which have turned logic on its head and have still managed to stay true to the science of communication with a computer. You are going to... Read More . But it can also be used to get by eBay’s filters.

A cybersecurity firm called Check Point first reported this vulnerability, and stated that it could be used on the desktop site or through the iOS or Android apps to download malware or redirect users to phishing pages where they may inadvertently give away user credentials. Here’s a video of an attack in action:

Check Point demonstrated and reported this vulnerability to eBay in December 2015, expecting that they would update their software to prevent the exploit. According to BBC, eBay told Check Point in January that they had no plans to fix the vulnerability, but that they implemented a partial fix in February. Why just a partial fix? “[I]t’s important to understand that malicious content on our marketplace is extraordinarily uncommon,” eBay told the BBC.


Despite eBay’s insistence that the risk of this type of attack is extremely low, security firm Netcraft reported that it was being actively used to phish potential buyers’ email addresses What Exactly Is Phishing & What Techniques Are Scammers Using? I’ve never been a fan of fishing, myself. This is mostly because of an early expedition where my cousin managed to catch two fish while I caught zip. Similar to real-life fishing, phishing scams aren’t... Read More and encourage them to complete payment via a fake escrow service. And the scam worked — Netcraft has shared screenshots of an upset user’s petition for help after being told by eBay, the police, and his bank that they couldn’t help him.

How to Protect Yourself from the XSS Vulnerability on eBay

As long as eBay doesn’t totally fix this problem, there’s a chance that you could run into a listing that a scammer has compromised and put yourself at risk. There are a few things you can do to decrease your risk of being caught out, however.

The first thing you should do is make sure that you’re using a click-to-play ability in your browser. Chrome has this ability built in, Firefox has the popular NoScript extension, and Safari users can install JS Blocker 5. This will prevent any scripts from loading unless you specifically give them permission. You shouldn’t need to load them on eBay, but if you do, you can enable them with a single click.



If you enable plugins, you’ll have to be extra vigilant to make sure that you’re not being taken advantage of. Whenever you’re about to click a Buy It NowMake Offer, or Bid link on eBay, make sure that the URL in your browser is, and not something else. If you’re being phished, the domain will be something other than

If you’re using an eBay mobile app, make sure to double-check the URL of any linked page, especially if it’s asking you for eBay login information. And don’t download any other apps! The eBay app will not encourage you to download something else. As Brian Krebs, one of the best security bloggers out there, says in his 3 Basic Rules for Online Safety, if you didn’t go looking for it, don’t install it!


Beyond this, it’s standard online marketplace safety stuff. Only communicate through the website, and not through email, no matter what. Don’t click on links in emails from eBay, just go to in case the email came from a scammer. Check to see if links on the site are safe 8 Ways to Make Sure a Link Is Safe Before You Click It Hyperlinks as we all know are the strands that make up the web. But just like the spiders, the digital web can trap the unsuspecting. Even the more knowledgeable among us click on links which... Read More before you use them. Use a strong password How to Generate Strong Passwords That Match Your Personality Without a strong password you could quickly find yourself on the receiving end of a cyber-crime. One way to create a memorable password could be to match it to your personality. Read More , and change it regularly. All of the regular “keep yourself safe” tips that we share all the time apply here, too.


Don’t Get Caught by this eBay Cross-Site Scripting Scam

Protecting yourself from scams on eBay 10 eBay Scams to Be Aware Of Being scammed sucks, especially on eBay. Here are the most common eBay scams you need to know about, and how to avoid them. Read More  requires a bit of vigilance and a little proactive prevention. Between using a script-blocking browser or extension, watching for suspicious URLs, and making sure to watch out for strange downloads or requests, you should be totally fine, even if eBay doesn’t fix this vulnerability (which they likely won’t, at least for a while). So take a couple quick steps, and get back to saving tons of money by shopping on eBay 5 Critical eBay Online Shopping Tips You Must Know eBay is different from Amazon and other shopping sites. Here are the critical eBay shopping tips you must know to succeed. Read More !

Do you shop on eBay? Does their record of non-action on security vulnerabilities worry you? Are you less likely to shop there because they haven’t responded well to the reporting of this particular bug? Share your thoughts below!

Image Credits:hacker [Broken URL Removed] by Photosani via Shutterstock

Related topics: eBay, Scams.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. W.Lee
    April 10, 2016 at 11:42 am

    Thanks for this information. Pretty scary stuff.I certainly was'nt aware of this. EBay is such a huge conglomerate. Why would they not take care of this vulnerability to the fullest extent. Seems that they'd risk losing customers. I'll certainly think twice before I use EBay. And if I do I'll certainly reread the aforementioned article.

    • Dann Albright
      April 12, 2016 at 8:18 pm

      I'm not sure why they don't fix it; that seems like a strange decision to me, too. Especially because it's a problem that many other sites have had and have dealt with before. Very strange. Hopefully a fix is coming soon!