Ebay under fire for inaction over phishing attacks

Auction site eBay is under fire after saying it has no plans to disallow active content in listings, despite the risk to users

Auction site eBay is under fire after saying it has no plans to disallow active content in listings, despite the risk of phishing attacks to users.

More than 100 listings containing malicious links have been discovered since an eBay user raised the alarm last week about a listing for iPhones that diverted to a phishing site for stealing user credentials.

Security professionals found that attackers were using cross-site scripting (XSS) to embed malicious JavaScript code in eBay’s product listing pages in a link that appeared to be from a trustworthy source.

When someone clicks on the link, the embedded programming is submitted as part of the client's web request and can execute on the user's computer, typically allowing the attacker to steal information.

In the case of the compromised iPhone listing, the XSS code redirected users through a series of other websites, so they ended up at a legitimate-looking page asking for their eBay login and password.

The fake page contained code that had the potential to carry out further malicious actions.

Despite this discovery and calls from security professionals for immediate action, eBay is refusing to disable active content, according to the BBC.

"Many of our sellers use active content like JavaScript and Flash to make their eBay listings perform better.

More on XSS

"We have no current plans to remove active content from eBay. However, we will continue to review all site features and content in the context of the benefit they bring our customers as well as overall site security,” the online auction giant said in a statement.

According to the BBC, innocent user accounts are being hijacked to make the fake listings which contain malicious links exploiting the XSS flaw.

Many of the hijacked accounts reportedly had 100% positive feedback, and had sold hundreds of items.

None of this should ever have been allowed to happen because eBay says it has rigorous guidelines regarding the use of HTML and JavaScript on its auction listings, said security consultant Graham Cluley.

“Ebay’s attempts to stamp out mischievous meddling in eBay listings failed and allowed the criminals to redirect users to a third-party page,” he wrote in a blog post.

According to Cluley, the underlying problem is that eBay allows its sellers to customise auction listings too much, with functionality not required to sell goods online.

“There are plenty of reasons to be careful when buying items on eBay in the first place, but it is disappointing to find out you also need to keep a keen eye open for scams and malicious scripts that eBay’s security team should really have stamped out in the first place,” he said.

Charles Sweeney, chief executive at security firm Bloxx, was also critical of eBay’s approach to the threat.

“The success of the attack lies very much in its simplicity and people’s acceptance that what they are presented with online is real. What is really concerning is that, once again, eBay has demonstrated an unacceptable attitude to their user’s safety being compromised online,” he said.

Read more on Privacy and data protection