TDR

eBay addresses XSS issue affecting auction page visitors

September 18, 2014

A BBC report has revealed that an auction page on eBay.co.uk left visitors vulnerable to cross-site scripting (XSS) attacks. In an aim to take advantage of the security issue, scammers placed malicious Javascript code in the product listing page, so that users would be redirected to a phishing site, BBC said.

An eBay “power seller” and IT worker, Paul Kerr initially reported the issue to eBay, and eventually posted a video of the attack on YouTube.

Kerr showed that the phishing page was designed to look like a legitimate eBay login portal, to trick users into entering their credentials. eBay told BBC that the issue affected only a “single item listing” on eBay.co.uk, which it removed, where an iPhone 5 was being auctioned. The e-commerce company was alerted Wednesday to the attacks, but removed the listing more than 12 hours later.

prestitial ad