eBay Phished Again
Some major holes in eBay security has been uncovered after the BBC discovered multiple fake iPhone and other product listings on the auction site that dupe users into handing over private info.
Over 100 fake eBay listings were uncovered, according to the report although most have now been removed. Some of the fake listings were in place since February, it is believed.
But, worryingly, an ‘eBay power user’ discovered the fake listing for an iPhone 5S that redirected consumers to a spoof eBay site, and alerted the e-comm giant, but the listing was left untouched for 12 hours until reported in the media. The spoof site asked victims for their eBay log in and share bank account details.
This suggest eBay still haven’t learn lesson from the last hacking which exposed 145 million users’ account details, which the site failed to discover until months later.
Several other eBay users also reported the latest phishing attack. Apart from iPhones, the fake listings also flogged other consumer items like televisions, hot tubs and clothing.
“Many of the accounts had 100% positive feedback, and had sold hundreds of items,” the BBC reported.
One victim’s eBay account was hijacked was locked out of the account – and later billed around 35 GBP (A$64) by eBay to cover seller’s fees for items left unsold.
Security experts say the attack employed cross-site scripting (XSS) which exploits a flaw in a website that ‘allows for the injection of client-side script code by unauthorized users’, reports Sophos.
Security expert Graeme Cluley says eBay has “dropped the ball” on security and believes allowing sellers too much customisation of listings is partly to blame.
“eBay clearly dropped the ball by allowing the malicious script to find its way into auction entries – it’s the kind of code which should be stripped out of its pages, so there’s no possibility of any harm being done.
“But, worse than that, why did it require the BBC to investigate before action was taken?,” he wrote.
However, eBay denies multiple product listings were phished, saying “this report relates only to a ‘single item listing’ on eBay.co.uk whereby the user has included a link which redirects users away from the listing page.
‘We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links.’