Last week an alarm was raised about a security hole on the eBay website which had caused at least one potential purchaser to be transported to a password-stealing scam instead of an auction page flogging an iPhone.
As I explain in the following video, hackers had managed to exploit an XSS (cross-site scripting) flaw in eBay to take unsuspecting users to a phishing page.
Fortunately, eagle-eyed IT consultant Paul Kerr spotted that he was being redirected a phishing page, and informed eBay’s support team regarding the serious issue.
But unfortunately, eBay did nothing about it until a journalist at the BBC later got in touch.
Of course, the same flaw could have been abused to not just redirect web browsers to a phishing page but to any manner of dangerous webpages, including content that might have been designed to infect users’ computers with malware. And the poisoned auction listings didn’t need to be selling iPhones, they could have just as easily used anything from a vintage gumball vending machine to a Whizzer and Chips 1970 Holiday Special as a lure.
At the time I worried that the flaw might have existed for some time, and that eBay’s claim that it was an isolated incident might not be entirely accurate.
Sadly, it looks as though I was right to have those fears.
A new report from the BBC claims that the vulnerability has been in existence since at least February of this year, and says that several eBay users have come forward and reported that they have had similar experiences which appear to be tied to the same flaw.
One user who contacted the BBC was Paul Castle, who shared a chat transcript that he had had with eBay’s support team back in February:
“I was just browsing in Digital Cameras and came across a password-harvesting scam.”
“This is potentially a big security problem for eBay users. There could be hundreds.”
eBay’s support team responded to Castle, saying that they would escalate the concern to “higher authorities”.
In further investigations, the BBC uncovered 64 listings from the past 15 days that “posed a danger to users”.
Indeed, eBay claims that it will display an error message if it determines the rules are being broken:
Clearly, however, eBay’s attempts to stamp out mischievous meddling in eBay listings failed and allowed the criminals to redirect users to a third-party page.
I think the underlying problem here is that eBay allows its sellers to customise auction listings too much, with too many bells and whistles and functionality that probably isn’t required to sell goods online. What’s wrong with having a simple photograph or two, and a text description of the goods on sale?
Why should you have to wade through ghastly-designed auction pages which look like someone has vomited a bucket’s worth of ugly HTML onto the page and ended up with something which looks like a badly-designed MySpace profile? It certainly turns me off some item listings on eBay, and clearly giving users that much flexibility has also introduced some serious security issues.
There are plenty of reasons to be careful when buying items on eBay in the first place, it’s disappointing to find out that you also need to keep a keen eye open for scams and malicious scripts that eBay’s security team should really have stamped out in the first place.