Security at eBay has once again been compromised after a cross-site scripting (XSS) attack put user’s personal data at risk.
The security breach comes after another serious breach in May, when eBay asked 145 million users to change their passwords after hackers used the credentials of three eBay employees to access the email addresses and encrypted passwords of all users of the site.
The attack on eBay was a cross-site scripting (XSS) attack, in which users were redirected to a spoof website designed to steal their credentials. It is not known at this stage, how many users have been affected, said the BBC.
Cluley highlighted how Paul Kerr, an eBay PowerSeller and IT worker in Scotland, stumbled across some cheap iPhones for sale on eBay. But when clicking on the link, he discovered that users were redirected to another webpage designed to look like the online marketplace’s welcome page. Users were then asked to enter their eBay usernames and passwords.
“eBay clearly dropped the ball by allowing the malicious script to find its way into auction entries – it’s the kind of code which should be stripped out of its pages, so there’s no possibility of any harm being done,” wrote Cluely, who also condemned the tardy response. “But, worse than that, why did it require the BBC to investigate before action was taken?”
To make matters worse, a spokesman for eBay reportedly played down the scope of the attack.
“This report relates only to a ‘single item listing’ on eBay.co.uk whereby the user has included a link which redirects users away from the listing page,” an eBay spokesman was quoted by the BBC as saying. “We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links.”
However, the BBC reportedly identified that a total of three listings had been posted by the same account involved. At least two of them produced the same redirect behaviour. The third was removed by eBay, along with the other two, before it could be apparently be checked.
This is not the first time that eBay has been exposed. Back in May, the company was forced to admit that the personal details of millions of users had been exposed in an attack. Following that, the UK Information Commissioner’s Office (ICO) said it was coordinating with European authorities to launch a probe into the eBay breach.
eBay is also being investigated by the US states of Connecticut, Florida and Illinois over that attack.
Are you a security pro? Try our quiz!
Legal issues continue for Meta, after US judge rules it must face trial over FTC's…
Bitcoin price reaches new record, amid hope that incoming Trump administration will implement crypto-friendly policies
Bluesky briefly tops download charts in UK and US, as Guardian newspaper says it is…
Smart home expansion? Apple reportedly developing an 'AI wall tablet' for smart home control, Siri,…
End of road for taxi drivers? More people seeking transportation in Los Angeles can now…
Slash-and-burn cuts for federal staff? Elon Musk and former presidential candidate Vivek Ramaswamy appointed to…