The BBC managed to get its hands on a chat transcript from February, showing eBay user, Paul Castle, explaining the issue: “I was just browsing in Digital Cameras and came across a password-harvesting scam”, he explained. However, upon clicking the listing he found that it “transfers immediately to a password harvest scam page.”
At the time, he stressed that this is a big problem as there could be hundreds of listings doing the same thing. The eBay staff told Castle that the issue had been flagged up with “higher authorities”.
Upon further investigation, the BBC found a total of 64 malicious listings from the past two weeks alone. An eBay spokesperson gave the following statement on Friday:
According to the spokesperson, eBay has a range of security measures in place to detect malicious code and remove listings. However, the company has yet to explain why these measures are failing to catch so many listings out and why it hasn’t been upfront about the issue with its users, having known about the security flaw since the start of this year.
As you would expect, security experts have since criticized eBay for not responding to the issue fast enough. Ilia Kolochenko, XSS expert and chief executive of security firm High-Tech Bridge, has noted that while it is difficult for large sites to be completely free of XSS vulnerabilities, companies must do more to plug the security hole, rather than covering up the issue by removing offending posts every so often.
This isn’t the first time eBay has had issues with security this year, it had to force all users to change their passwords a few months back after user information was compromised.
Discuss on our Facebook page, HERE.
KitGuru Says: The fact that eBay has failed to fix this security issue, despite having known about it since February is alarming. It may very well have automated systems in place to stop malicious code but 64 listings have been posted in the last two weeks, these weren’t stopped by the site’s automated measures and could have affected hundreds of users. Hopefully now that the word is out, eBay will forced to tighten up its security.