Security at eBay has once again been compromised after a cross-site scripting (XSS) attack put user’s personal data at risk.
The security breach comes after another serious breach in May, when eBay asked 145 million users to change their passwords after hackers used the credentials of three eBay employees to access the email addresses and encrypted passwords of all users of the site.
The attack on eBay was a cross-site scripting (XSS) attack, in which users were redirected to a spoof website designed to steal their credentials. It is not known at this stage, how many users have been affected, said the BBC.
Cluley highlighted how Paul Kerr, an eBay PowerSeller and IT worker in Scotland, stumbled across some cheap iPhones for sale on eBay. But when clicking on the link, he discovered that users were redirected to another webpage designed to look like the online marketplace’s welcome page. Users were then asked to enter their eBay usernames and passwords.
“eBay clearly dropped the ball by allowing the malicious script to find its way into auction entries – it’s the kind of code which should be stripped out of its pages, so there’s no possibility of any harm being done,” wrote Cluely, who also condemned the tardy response. “But, worse than that, why did it require the BBC to investigate before action was taken?”
To make matters worse, a spokesman for eBay reportedly played down the scope of the attack.
“This report relates only to a ‘single item listing’ on eBay.co.uk whereby the user has included a link which redirects users away from the listing page,” an eBay spokesman was quoted by the BBC as saying. “We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links.”
However, the BBC reportedly identified that a total of three listings had been posted by the same account involved. At least two of them produced the same redirect behaviour. The third was removed by eBay, along with the other two, before it could be apparently be checked.
This is not the first time that eBay has been exposed. Back in May, the company was forced to admit that the personal details of millions of users had been exposed in an attack. Following that, the UK Information Commissioner’s Office (ICO) said it was coordinating with European authorities to launch a probe into the eBay breach.
eBay is also being investigated by the US states of Connecticut, Florida and Illinois over that attack.
Are you a security pro? Try our quiz!
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…