Skip to main content

eBay’s latest setback: Redirect attack threatens account details

The online auction site eBay has suffered another setback after it failed to respond to reports of a security compromise.

The US firm took more than 12 hours to remove links that redirected users to a site designed to steal their credentials.

Read more: eBay goes down for 10th time this year amid Internet blackouts

Dr Steven Murdoch from University College London's Information Security Group said he was surprised the company took so long to remove the threat.

"eBay is a large company and it should have a 24/7 response team to deal with this - and this case is unambiguously bad."

Analysing the links, Dr Murdoch said that the technique was known as a cross-site scripting (XSS) attack. It involves the attackers inserting malicious lines of code into a product listing page, which redirects users to a fake eBay welcome page, where they are asked to re-enter their account details.

"eBay is pretty competent, but obviously it has been caught out here," he added.

"Cross-site scripting is well within the top 10 vulnerabilities that website owners should be concerned about."

While an eBay spokesman has sought to play down the attack as a "single item listing," the BBC reports that a total of three listings had been posted by the same account.

At least two of the links produced the redirect, while the third was removed by the US company before it could be analysed.

Paul Kerr, an IT worker from Alloa in Clackmannanshire, who originally identified the issue, said that with eBay's massive userbase, people were likely to have clicked the links during the time it took to remove them.

"You don't know how many of the hundreds of thousands of people who use eBay will have done that," he said.

Read more: eBay users denied account access in latest glitch

The security threat is the latest in a series of technical errors to plague the online auction site. Last week, many users mistakenly received incorrect password alerts after being unable to log in, and in May, the company revealed a database containing sensitive data had been compromised.