iPhone fans who are thinking of snapping up a second-hand iPhone 5S on eBay be wary. eBay was discovered to have a vulnerability that allows hackers to steal users' usernames and passwords using a script inserted into a listing for an iPhone 5 and several other items.
The attack, which is called cross-site scripting (XSS), allows malicious Internet users to incorporate JavaScript code into individual eBay listings. Once users click on the listing, their browsers automatically get redirected to a fake eBay page mimicking eBay's own login page that prompts the users to enter their username and password.
The phishing page was first discovered by eBay PowerSeller and IT worker Paul Kerr of Clackmannanshire, Scotland, who informed the BBC of his discovery. Kerr said he was able to identify the problem when he noticed that the URL of the page that was asking for his username and password was different, saying that users with little or no IT experience will most likely not be aware that they are entering their login information on a spoof page.
"It's guaranteed - you can bet your bottom dollar that somebody's going to click on that and be redirected to a third-party site and they're going to enter their details and be compromised," says Kerr. "You don't know how many of the hundreds of thousands of people who use eBay will have done that."
Kerr says he also contacted eBay immediately to report the vulnerability on Wednesday night but criticizes the company for its delayed response to the problem, with a customer service representative only promising that she was going to "report that to the highest level of security to get it looked into." The listing was removed only 12 hours after when the BBC made a follow-up call to Kerr's report.
eBay has been trying to downplay the issue, saying that the glitch affects only a "single item listing" on eBay.co.uk. However, the BBC discovered 64 other listings from the last 15 days containing the same malicious script that redirects users to the fake page that phishes for their login credentials. Two of these listings were posted by the same account discovered by Kerr.
eBay says the vulnerability to cross-site scripting is not uncommon for large websites that allow their users to insert active content such as JavaScript and Flash on their pages. The company also says it has security features "designed to detect and then remove listings containing malicious code."
Like Kerr, other security experts criticize eBay for its slow response time, noting that several of the malicious listings are still up for the clicking. Dr. Steven Murdoch of University College London says a large company such as eBay should have been able to remove the listings immediately.
"eBay should as a matter of priority have looked for all the other links which exploited the same vulnerability and removed these too, as well as closing off the vulnerability from future attackers," Murdoch says.
XSS expert Ilia Kolochenko of High-Tech Bridge security firm admits it is not easy for a large website like eBay to be completely free of XSS-related problems, but eBay should have acted quickly to clean up its website once vulnerability has been reported.
"If someone has reported an issue to eBay, and the vulnerability was not fixed promptly, this is a bad thing," says Kolochenko.
