Industry News

eBay Falls Victim to Cross-Site Scripting Attack

eBay Falls Victim to Cross-Site Scripting Attack

Credits: eBay BlogThe British website of online retailer eBay was compromised through a cross-site scripting (XSS) vulnerability, exploited to steal customers’ login credentials, according to the BBC.

Attackers apparently planted malicious Javascript code in product listings to redirect eBay customers interested in cheap Apple smartphones to a spoofed eBay welcome page. Once there, they were asked to enter their account username and password.

The incident was first reported by Paul Kerr, an IT worker from Scotland who contacted eBay and was told that the matter would be considered “of the highest level of security”.

However, the company was criticized for its 12-hour response time in fixing the issue.

“eBay is a large company and it should have a 24/7 response team to deal with this – and this case is unambiguously bad,” said Steven Murdoch from University College London’s Information Security Research Group.

In a statement, the retailer said the issue only affected one item listed on the UK site, information questioned by the BBC.

“This report relates only to a ‘single item listing’ on whereby the user has included a link which redirects users away from the listing page,” a spokesperson said. “We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links.”

About the author

Alexandra GHEORGHE

Alexandra started writing about IT at the dawn of the decade - when an iPad was an eye-injury patch, we were minus Google+ and we all had Jobs. She has since wielded her background in PR and marketing communications to translate binary code to colorful stories that have been known to wear out readers' mouse scrolls. Alexandra is also a social media enthusiast who 'likes' only what she likes and LOLs only when she laughs out loud.