It would be nice to think that eBay, one of the world’s most popular websites, had its act together when it came to securing its content.
After all, if a hacker were able to boobytrap auction pages on the site to redirect users to a phishing page that asked them to enter their eBay username and password, that would be a pretty bad thing. Right?
Paul Kerr, an eBay PowerSeller and IT worker from Alloa in Clackmannanshire, Scotland, stumbled across some iPhones for sale on eBay which had quite a sting in their tale.
Watch this video to learn more.
Although in this case it was cheap iPhones that were being used as bait to catch unwary eBay users, it could just as easily have been other items that attackers had used to lure surfers into handing over their eBay usernames and passwords.
eBay clearly dropped the ball by allowing the malicious script to find its way into auction entries – it’s the kind of code which should be stripped out of its pages, so there’s no possibility of any harm being done. But, worse than that, why did it require the BBC to investigate before action was taken?
You should always be careful when buying second-hand items, especially if they appear to be being flogged off cheaply in as rush because a new model of the phone is coming out, and have your wits about you.
But I wonder how many people would also expect to have to be on the lookout for phishing attacks when they were harmless browsing around eBay?
More details can be found on the BBC News website.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
5 comments on “eBay XSS vulnerability used iPhones as bait, redirected users to phishing page [VIDEO]”
Love the video. And the ridiculing them is excellent, too (and apparently needed). As I suggested in the email I sent, I always did wonder why they allowed scripts and if nothing else why they did not sanitise them but that's eBay for you. And that the BBC had to tell them off is quite… scary. Love your 'to their credit' sarcasm (of course, I love satire, sarcasm and word play, in general).
As usual, great write-up. What I really like about your website, and this is huge, is your quick write-ups that are both insightful but also easy enough for people that aren't like some of the regulars (read: people who are not so knowledgeable about computers and more so security). With my websites I typically write much more technical details (and do not alert users to most current risks) and I'm not a good teacher in general, at least not about many things, unless it is for someone who already has the proper aptitude (and I write about much more technical things besides security). This makes your website very different and a very well needed thing to this day (and it would have been equally true in the 90s, really, because even then it was bad although at least then it was less about fraud/theft/etc).
Keep it up!
Indeed true. I've mentioned the plugin multiple times, here. I've also mentioned how it can indirectly protect you from non-XSS phishing attacks (or put another way: let's say you click on a link – yes, bad, but… – in an email and everything looks fine. You could be alerted indirectly by noscript).
There is a problem with noscript though. It isn't noscript directly but rather users: they are inconvenienced by scripts (and many, many sites) being broken (and allowing temporarily, reloading, then doing again because scripts often reference scripts on other websites which aren't loaded until the original scripts load and this can happen multiple times per website). It's unfortunate though, because indeed among other things, noscript catches XSS attacks (although nothing is perfect).
Update, more from the BBC. Love the irony there. Yet I'm not surprised in the least; they have wonderful content and eBay on the other hand is… dense, to say the least (and that is as nice as I can muster and it is far too nice even):
A flaw that has exposed eBay customers to malicious websites has been affecting the site since at least February, the BBC has found.
EBay removed several posts, but said it was an isolated incident.
Furthermore, several readers contacted the BBC detailing complaints they had made to the site.
In a statement, eBay said it had a dedicated team working on security, but that criminals "intentionally adapt their code and tactics to try to stay ahead of the most sophisticated security systems".
Yes, eBay, because it is so unfair… you're… you're just the victim of an ancient type of attack that you should have been filtering to begin with. I know, it is difficult to fathom and indeed it is just so unfair. Of course, it is isn't like this when the same happens to others, including malware, DoS/DDoS (oh, wait.. I'm sorry, how arrogant and forgetful of me – you were a victim of that years ago, when a 13 year old calling himself Mafia Boy dropped eBay and other sites to its knees … so that doesn't count), and countless other attacks. You're right, it isn't fair – life isn't fair. That doesn't mean you shouldn't be responsible and it doesn't mean the blame game is helpful!
I could have sworn he was 13 but sources suggest he was 15. Well, it was 14 years ago and I am amazed I even remembered the incident. Either way, that he could admit (eventually) how stupid it was and that he didn't understand the consequences of his actions, you'd think eBay could do that too. But can they? Of course not. But I know, I know… it just isn't fair. It's fine eBay, we all understand your suffering, your hardships… but frankly we only care that you act like a little brat who cannot grow up and face the truth of how everyone – sorry, I mean everyone and every organisation/corporation except eBay! – is responsible for their own actions, their own lives and indeed mistakes, flaws, …