Vulnerability Management

Recently patched XSS vulnerability on eBay invited spearphishing

An independent security researcher discovered a cross-site scripting (XSS) vulnerability on eBay's website that could be exploited by spearphishers “to steal funds from people, use trusted eBay accounts to scam other users, and more,” according to a Monday blogpost .

XSS vulnerabilities allow hackers to inject code that is executed on the client (web browser) side, luring users to phishing pages where they are tricked into disclosing data or credentials. The researcher, who goes by the alias MLT, claimed he informed eBay of his discovery on Dec. 11, 2015. However, he added, the company waited a month to patch the vulnerability, after it began fielding media inquiries about the problem.

In the post, MLT offered a “how-to” for pulling off an XSS-based phishing attack, including using mirroring software to imitate eBay's log-in page.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.