Incident Response, TDR, Vulnerability Management

eBay addresses XSS issue affecting auction page visitors

A BBC report has revealed that an auction page on eBay.co.uk left visitors vulnerable to cross-site scripting (XSS) attacks. In an aim to take advantage of the security issue, scammers placed malicious Javascript code in the product listing page, so that users would be redirected to a phishing site, BBC said.

An eBay “power seller” and IT worker, Paul Kerr initially reported the issue to eBay, and eventually posted a video of the attack on YouTube.

Kerr showed that the phishing page was designed to look like a legitimate eBay login portal, to trick users into entering their credentials. eBay told BBC that the issue affected only a “single item listing” on eBay.co.uk, which it removed, where an iPhone 5 was being auctioned. The e-commerce company was alerted Wednesday to the attacks, but removed the listing more than 12 hours later.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.