eBay XSS password-stealing security hole “existed for months”

Graham Cluley
Graham Cluley
@[email protected]

eBayLast week an alarm was raised about a security hole on the eBay website which had caused at least one potential purchaser to be transported to a password-stealing scam instead of an auction page flogging an iPhone.

As I explain in the following video, hackers had managed to exploit an XSS (cross-site scripting) flaw in eBay to take unsuspecting users to a phishing page.

eBay XSS vulnerability used iPhones as bait, redirected users to phishing page | Graham Cluley

Fortunately, eagle-eyed IT consultant Paul Kerr spotted that he was being redirected a phishing page, and informed eBay’s support team regarding the serious issue.

Sign up to our free newsletter.
Security news, advice, and tips.

But unfortunately, eBay did nothing about it until a journalist at the BBC later got in touch.

Oh dear.

Of course, the same flaw could have been abused to not just redirect web browsers to a phishing page but to any manner of dangerous webpages, including content that might have been designed to infect users’ computers with malware. And the poisoned auction listings didn’t need to be selling iPhones, they could have just as easily used anything from a vintage gumball vending machine to a Whizzer and Chips 1970 Holiday Special as a lure.

At the time I worried that the flaw might have existed for some time, and that eBay’s claim that it was an isolated incident might not be entirely accurate.

Sadly, it looks as though I was right to have those fears.

A new report from the BBC claims that the vulnerability has been in existence since at least February of this year, and says that several eBay users have come forward and reported that they have had similar experiences which appear to be tied to the same flaw.

BBC eBay report

One user who contacted the BBC was Paul Castle, who shared a chat transcript that he had had with eBay’s support team back in February:

“I was just browsing in Digital Cameras and came across a password-harvesting scam.”

“This is potentially a big security problem for eBay users. There could be hundreds.”

eBay’s support team responded to Castle, saying that they would escalate the concern to “higher authorities”.

In further investigations, the BBC uncovered 64 listings from the past 15 days that “posed a danger to users”.

None of this, of course, should ever have been allowed to happen. eBay says it has rigorous guidelines regarding the use of HTML and JavaScript on its auction listings.

eBay guidelines for HTML and Javascript

Indeed, eBay claims that it will display an error message if it determines the rules are being broken:

If you try to use scripts that we disable, you’ll get an error message that says “Disallowed JavaScript/HTML Syntax”. This means you can’t list the item, or the script will be disabled at run-time.

To help keep our website working the way we designed it to, we don’t allow using HTML or JavaScript functions that manipulate or change the way the site and its features operate.

Clearly, however, eBay’s attempts to stamp out mischievous meddling in eBay listings failed and allowed the criminals to redirect users to a third-party page.

I think the underlying problem here is that eBay allows its sellers to customise auction listings too much, with too many bells and whistles and functionality that probably isn’t required to sell goods online. What’s wrong with having a simple photograph or two, and a text description of the goods on sale?

Why should you have to wade through ghastly-designed auction pages which look like someone has vomited a bucket’s worth of ugly HTML onto the page and ended up with something which looks like a badly-designed MySpace profile? It certainly turns me off some item listings on eBay, and clearly giving users that much flexibility has also introduced some serious security issues.

There are plenty of reasons to be careful when buying items on eBay in the first place, it’s disappointing to find out that you also need to keep a keen eye open for scams and malicious scripts that eBay’s security team should really have stamped out in the first place.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

4 comments on “eBay XSS password-stealing security hole “existed for months””

  1. After eBay 'donated' my personal details to the dark fraternity earlier this year, I was no longer able to view those personal details so that I could remind myself of exactly what information eBay had kindly disclosed on my behalf. It is as though by concealing that information from its rightful owner that eBay is pretending that the problem does not exist.

    eBay presumably has a corporate culture which compels all its people to be in denial, especially those at the most senior levels. If they delude themselves that there is not a problem, then there isn't as far as they are concerned.

  2. Coyote

    "I think the underlying problem here is that eBay allows its sellers to customise auction listings too much, with too many bells and whistles and functionality that probably isn’t required to sell goods online. What’s wrong with having a simple photograph or two, and a text description of the goods on sale?"

    You're quite correct. I think I referred to this (maybe vaguely) in the other post you made. Indeed the problem is that they allow this customisation (which as you correctly point out is not necessary) and they clearly don't sanitise (which IS necessary) things well. Hence my satire + sarcasm in the other post (my response when referring to this update here). If they actually took care of a very common flaw in websites, they wouldn't have this problem. Yet, to them it is simply not fair (which really means they are trying to show they take it seriously but do not). Their statement, as the BBC reported it (and quotes) was:

    In a statement, eBay said it had a dedicated team working on security, but that criminals "intentionally adapt their code and tactics to try to stay ahead of the most sophisticated security systems".

    It is one thing to address the problem in a responsible manner (which includes being appreciative of the report, evaluating things in full, … and working to maintain it [1]). It is another when they make statements like the above (and other statements about how it was an isolated case (which clearly isn't true)).
    [1]I wonder if they have a proper security policy like all corporations should have? Then again, perhaps they aren't so bad, seeing as other corporations ALSO play the victim game (and claim isolated event and so on). I think it comes down to responsibility. Can't expect perfection but one would like to believe that responsibility is in play (and always striving to better themselves/customers/…).

    Simply put: they allow custom scripts as well as linking off site. Both of those are going to be (technically, just remove "going to be" and leave it at "are") problematic as has been clearly demonstrated.

  3. doktorthomas3

    eBay has a laisez-faire attitude about everything except getting their money. It is no surprise their IT was unconcerned (may still be unconcerned). American IT is so far behind they can barely understand security issues… we may write the software, but others exploit it in a superior fashion at levels not envisioned.
    Catch-up, the most American game.
    I have little faith in American IT departments; no faith in anything "cloud."
    Did you know most offending bots hail from two sources: China and Amazon servers. Don't take my word; do your own research. ©2014 DoktorThomas™

  4. anonymous

    you should read this tweet from CERT


What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.