Ebay has removed malicious links in a listing for iPhones that diverted to a phishing site designed to steal user credentials.
This is the latest in a string of security incidents at the online auction site that have put users at risk.
But eBay failed to take immediate action to protect its users, only removing the links after a call from the BBC more than 12 hours after it was first alerted to the problem by a user.
Security experts have criticised the site for taking so long to respond to reports of the compromise and for failing to identify it in the first place.
"Ebay is a large company and it should have a 24/7 response team to deal with this,” said Steven Murdoch from University College London's information security research group.
“This case is unambiguously bad," he told the BBC.
More on data breaches
- Home Depot investigating potentially massive data breach
- Spotify warns of data breach
- Courier firm UPS warns of potential data breach
- Paddy Power hit by data breach in 2010
- UK micro businesses unprepared for data breaches, study shows
- Security Think Tank: Minor failings can trigger major data breaches
- Google denies breach after hackers leak millions of user logins
When someone clicks on the link, the embedded programming is submitted as part of the client's web request and can execute on the user's computer, typically allowing the attacker to steal information.
In this case, the XSS code automatically redirected users through a series of other websites, so they ended up at a legitimate-looking page asking for their eBay login and password.
The fake page contained code that had the potential to carry out further malicious actions.
Independent security consultant Graham Cluley said eBay had dropped the ball by letting malicious script find its way into auction entries.
“It is the kind of code which should be stripped out of its pages, so there is no possibility of any harm being done,” he wrote in a blog post.
Despite the risk to eBay users, a spokesman for the auction site played down the scope of the attack.
"This report relates only to a single item listing on eBay.co.uk whereby the user has included a link which redirects users away from the listing page," he said.
"We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links."
According to the BBC, two other listings were posted by the same account and at least one of them contained malicious links. However, all three listings were removed by eBay before the third could be checked.
“It would be nice to think that eBay, one of the world’s most popular websites, had its act together when it came to securing its content,” said Cluley.
The incident comes just three months after eBay forced users to change their passwords after the compromise of a database containing encrypted passwords and other non-financial data.
In July, eBay revealed that 1,600 accounts on its StubHub ticket resale site had been broken into, resulting in a scam that defrauded the service of about £600,000.