eBay Web Site “Not A Safe Place To Visit”, New Security Flaws Discovered
UK university student Jordan told eBay about the second vulnerability last Friday but the Company failed to respond so he has gone public.
Jones claims that the new vulnerability is a ‘cross-site scripting flaw’, which means that code from another source has been executed within the eBay website.
This could allow hackers to collect cookies – small files that contain snippets personal data – from logged-in eBay users who visit a page that has been injected with the attack code.
The security researcher, who last week uncovered the original vulnerability in eBay’s website that allowed hackers to steal the personal details of 233 million customers claims that the eBay website is not a safe place to visit,
Jones uploaded a screenshot showing that he was able to create a pop up box on eBay’s labs webpage using this technique:
“EBay should be on top of their stuff,” he said in an interview with PCWorld.
In an email sent to ChannelNews last week eBay said that it takes all vulnerabilities very seriously. In Australia eBay communication staff have chosen not to return telephone calls instead they are putting out corporate spin statements instead of addressing serious questions about their online web site that attracts millions of Australian visitors.
EBay claim that t the latest issue reported by Jones is unrelated to the event reported last week.
EBay said that, in light of this problem, it maintains a multi-level security system to prevent and detect the use of malicious code on its sites.
“First, we employ technologies that prevent sellers from using certain kinds of active content in their items descriptions. Secondly, we apply technologies that support us in identifying malicious content in listings and take the appropriate actions to remove,” it said.
“Therefore we ask anyone who believes they have detected any form of vulnerability on our site to report it immediately through our report a problem centre.”
Last week security researchers warned Australian users of eBay that they could be at risk of identity theft after their personal data was stolen in the world’s biggest online security breach.
The company admitted that the name, address, date of birth, telephone number, email address and password of every eBay account holder – 233 million people worldwide – was in the hands of the hackers.
The UK Daily Telegraph said that after the eBay announcement, British MPs accused the US-based firm of an “inexcusable” delay in admitting that its servers had been accessed by hackers up to three months ago. eBay is currently in the process of notifying customers by email.
A YouGov poll on behalf of Clearswift revealed that almost half of UK residents said that they will be wary of using eBay in the future.