Bargain basement iPhone shoppers BEWARE! eBay exposes users to phishing vuln

Tat bazaar downplays malicious attack on multiple auctions

eBay bans the use of cross-site scripting on the online tat bazaar because it can open up the site's users to nasty phishing vulnerabilities. And yet, according to the BBC, some auction listings have been exposed to the exploit since February this year.

Some users hunting for old iPhones could have been caught up in the security scam, it's been reported.

The Beeb said it spotted 64 listings from the past 15 days that had been exposed to cross-site scripting flaws in eBay's auction listing.

However, eBay downplayed the vuln on Friday and removed some listings from the site. A spokeswoman told the BBC:

This is related to the fact that we allow sellers to use active content like Javascript and Flash on our site.

Many of our sellers use active content like Javascript and Flash to make their eBay listings more attractive. However, we are aware that active content may also be used in abusive ways.

Cross-site scripting is not allowed on eBay and we have a range of security features designed to detect and then remove listings containing malicious code.

But security expert Graham Cluley questioned eBay's seemingly lax response to phishing on its site.

"It would be nice to think that eBay, one of the world’s most popular websites, had its act together when it came to securing its content," he said in a blog post.

"After all, if a hacker were able to boobytrap auction pages on the site to redirect users to a phishing page that asked them to enter their eBay username and password, that would be a pretty bad thing. Right?"

He added:

eBay clearly dropped the ball by allowing the malicious script to find its way into auction entries – it’s the kind of code which should be stripped out of its pages, so there’s no possibility of any harm being done.

®

Sponsored: How to Process, Wrangle, Analyze and Visualize your Data with Three Complementary Tools




Biting the hand that feeds IT © 1998–2019