{"id":48655,"date":"2014-09-17T15:49:11","date_gmt":"2014-09-17T15:49:11","guid":{"rendered":"http:\/\/4cd.e16.myftpupload.com\/?p=48655"},"modified":"2014-09-17T15:49:11","modified_gmt":"2014-09-17T15:49:11","slug":"ebay-attack-puts-its-buyers-at-risk","status":"publish","type":"post","link":"https:\/\/citifmonline.com\/2014\/09\/ebay-attack-puts-its-buyers-at-risk\/","title":{"rendered":"eBay attack puts its buyers at risk"},"content":{"rendered":"
EBay has been compromised so that people who clicked on some of its links were automatically diverted to a site designed to steal their credentials.<\/p>\n
The spoof site had been set up to look like the online marketplace’s welcome page.<\/p>\n
The US firm was alerted to the hack on Wednesday night but removed the listings only after a follow-up call from the BBC more than 12 hours later.<\/p>\n
One security expert said he was surprised by the length of time taken.<\/p>\n
“EBay is a large company and it should have a 24\/7 response team to deal with this – and this case is unambiguously bad,” said Dr Steven Murdoch from University College London’s Information Security Research Group.<\/p>\n
The security researcher was able to analyse the listing involved before eBay removed it.<\/p>\n
He said that the technique used was known as a cross-site scripting (XSS) attack.<\/p>\n
It involved the attackers placing malicious Javascript code within product listing pages. This code in turn automatically redirected affected users through a series of other websites, so that they ended up at the page asking for their eBay log-in and password.<\/p>\n
Users only had to click the original listing to have their browser hijacked.<\/p>\n
“The websites the user is being redirected to are almost certainly compromised by the attacker to hide his or her traces,” Dr Murdoch explained.<\/p>\n
He added that the fake page the users were ultimately delivered to contained code that had the potential to carry out further malicious actions.<\/p>\n
“EBay is pretty competent, but obviously it has been caught out here,” he said.<\/p>\n
“Cross-site scripting is well within the top 10 vulnerabilities that website owners should be concerned about.”<\/p>\n
A spokesman for eBay played down the scope of the attack.<\/p>\n
“This report relates only to a ‘single item listing’ on eBay.co.uk whereby the user has included a link which redirects users away from the listing page,” he said.<\/p>\n
“We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links.”<\/p>\n
However, the BBC identified that a total of three listings had been posted by the same account involved.<\/p>\n
At least two of them produced the same redirect behaviour. The third was removed by eBay, along with the other two, before it could be checked.<\/p>\n
Delayed reaction<\/p>\n
The issue was originally identified by Paul Kerr, an IT worker from Alloa in Clackmannanshire who is also an “eBay PowerSeller”.<\/p>\n
He called the firm shortly after he had clicked on a listing for an iPhone and been redirected.<\/p>\n
“The advert had been up for 35 minutes,” he told the BBC.<\/p>\n
“When I spoke to the lassie on the phone, she said: ‘I’m going to report that to the highest level of security to get it looked into.’ And she did emphasise that.<\/p>\n
“They should have nailed that straight away, and they didn’t.”<\/p>\n