Another Data Breach Plagues eBay

Online auction giant eBay is in hot water following a report by the BBC that dozens of listings on the site have been used to con shoppers into surrendering private information. According to the news service, the listings automatically redirect users to malicious Web sites as part of a password harvesting scam.

Users have complained of being locked out of their accounts because they have been hijacked by scammers. Some have also been charged fees by the company for sales they claimed they never made.

eBay Aware Since February

eBay removed several posts as a result of the stories, and said that it would continue to review site content for malicious postings. However, the company told the BBC that it viewed the vulnerability as an isolated incident, saying that hackers EUintentionally adapt their code and tactics to try to stay ahead of the most sophisticated security systems.EU

Although eBay said it moved quickly to address complaints of the flaw once it became aware of it, the BBC said it spoke with users who have been complaining about the vulnerability to eBay since at least February. The news service found 64 listings posted in the last 15 days that could pose threats to users.

The sites appear to be part of a phishing scheme designed to harvest eBay usersEU personal data such as bank accounts, credit card numbers, and passwords. However, the sites could potentially expose users to even greater threats, such as infecting their computers with malware. The company maintained that this type of security problem is not a new one for services like eBay.

Cross-Site Scripting Exploit

The exploit seems to stem from eBayEUs policy of allowing sellers to use Flash and Javascript in their listings to create so-called EUactiveEU content. Both technologies are vulnerable to cross-site scripting attacks that transfer...

Comments are closed.