An independent security researcher discovered a cross-site scripting (XSS) vulnerability on eBay's website that could be exploited by spearphishers “to steal funds from people, use trusted eBay accounts to scam other users, and more,” according to a Monday blogpost .
XSS vulnerabilities allow hackers to inject code that is executed on the client (web browser) side, luring users to phishing pages where they are tricked into disclosing data or credentials. The researcher, who goes by the alias MLT, claimed he informed eBay of his discovery on Dec. 11, 2015. However, he added, the company waited a month to patch the vulnerability, after it began fielding media inquiries about the problem.
In the post, MLT offered a “how-to” for pulling off an XSS-based phishing attack, including using mirroring software to imitate eBay's log-in page.