Auction site eBay has come in for criticism after appearing to drag its heels over fixing a cross-site scripting (XSS) vulnerability which allowed attackers to booby trap links redirecting users to a phishing page.
The hackers had apparently exploited the common vulnerability to inject malicious Javascript into several listings for cheap iPhones.
Once a user clicked on these they were taken to what appeared to be an eBay log-in page. However, on further inspection the page is actually hosted elsewhere and has been designed to harvest user log-ins for the hackers.
The incident was first spotted by Paul Kerr, an IT worker from Alloa, who told the BBC that after contacting eBay he was assured the matter would be reported “to the highest level of security” to be resolved.
However, the US giant appeared only to take action after the BBC got in touch to check on the progress of the complaint.
Security expert Graham Cluley warned users to exercise caution when buying second-hand items, especially if they appear too good to be true.
“EBay clearly dropped the ball by allowing the malicious script to find its way into auction entries – it’s the kind of code which should be stripped out of its pages, so there’s no possibility of any harm being done,” he added in a blog post.
“But, worse than that, why did it require the BBC to investigate before action was taken?”
Chris Oakley, principal security consultant at Nettitude, added that XSS has been a known attack vector for years and sits at number three in the OWASP Top Ten.
“EBay appears to have been vulnerable to a variant of cross-site scripting that allowed malicious code to be delivered to its users without any interaction between the attacker and the victim required, which is arguably the most severe form of this vulnerability,” he said in emailed comment.
“The preventions are well understood and one would expect all organisations – particularly those with vast quantities of customer data to protect – to have the required defences in place. After all, attackers are adept at exploiting any gap that exists in security defences, and it only takes one successful attempt for a disastrous data breach to occur.”
The auction giant’s security processes were found wanting earlier this year when it reacted slowly to a massive data breach.
“Why has it taken an organization with the resources of eBay three months to notice that was being accessed inappropriately, not to mention exfiltrated? Where are the breach detection systems?” wrote Trend Micro vice president of security research, Rik Ferguson, in an open letter at the time.
Others complained that eBay’s password reset reminder email took weeks before reaching some users.