Auction site eBay is under fire after saying it has no plans to disallow active content in listings, despite the risk of phishing attacks to users.
More than 100 listings containing malicious links have been discovered since an eBay user raised the alarm last week about a listing for iPhones that diverted to a phishing site for stealing user credentials.
When someone clicks on the link, the embedded programming is submitted as part of the client's web request and can execute on the user's computer, typically allowing the attacker to steal information.
In the case of the compromised iPhone listing, the XSS code redirected users through a series of other websites, so they ended up at a legitimate-looking page asking for their eBay login and password.
The fake page contained code that had the potential to carry out further malicious actions.
Despite this discovery and calls from security professionals for immediate action, eBay is refusing to disable active content, according to the BBC.
More on XSS
- Using XSS filtering to mitigate XSS vulnerabilities
- Twitter suspends TweetDeck over XSS security flaw
- New site catalogs XSS vulnerabilities in top web domains
- How to defend against a DOM-based XSS attack
- A new framework for preventing XSS attacks
- XSS attacks remain top threat to web applications
- Stamp out XSS cross scripting vulnerabilities with proactive measures
- XSS cheat sheet: How to prevent XSS attacks and detect exploits
- Cross-site scripting explained: How to prevent XSS attacks
"We have no current plans to remove active content from eBay. However, we will continue to review all site features and content in the context of the benefit they bring our customers as well as overall site security,” the online auction giant said in a statement.
According to the BBC, innocent user accounts are being hijacked to make the fake listings which contain malicious links exploiting the XSS flaw.
Many of the hijacked accounts reportedly had 100% positive feedback, and had sold hundreds of items.
“Ebay’s attempts to stamp out mischievous meddling in eBay listings failed and allowed the criminals to redirect users to a third-party page,” he wrote in a blog post.
According to Cluley, the underlying problem is that eBay allows its sellers to customise auction listings too much, with functionality not required to sell goods online.
“There are plenty of reasons to be careful when buying items on eBay in the first place, but it is disappointing to find out you also need to keep a keen eye open for scams and malicious scripts that eBay’s security team should really have stamped out in the first place,” he said.
Charles Sweeney, chief executive at security firm Bloxx, was also critical of eBay’s approach to the threat.
“The success of the attack lies very much in its simplicity and people’s acceptance that what they are presented with online is real. What is really concerning is that, once again, eBay has demonstrated an unacceptable attitude to their user’s safety being compromised online,” he said.