Skip to main content

eBay’s latest security flaw has been stealing user passwords since February

eBay user information has been at risk for months and not weeks after a chat log from one user revealed that the password scam has been around for a lot longer than first thought.

Related: eBay’s latest setback: Redirect attack threatens account details

One user that contacted the BBC explained that he found the problem as early as February 2014 and reported it to eBay’s support staff in the form of a chat log that outlined the problem in some detail.

“I was just browsing in Digital Cameras and came across a password-harvesting scam," wrote eBay user Paul Castle in an online chat with support staff.

He went on to say that once the link has been clicked it patches the users straight to a password harvesting scam page that attempts to steal information from the user in question.

"This is potentially a big security problem for eBay users," he stated, "There could be hundreds."

eBay replied to Castle by stating that the problem had already been reported to “higher authorities” yet despite this taking place, there are still various listings on the site that are trying to exploit the same issue.

The BBC found 64 such listings in the past 15 days that are a risk to users and in each instance cross-site scripting [XSS] has been used to exploit the user’s browsing and placed them in the listings page by using JavaScript.

“This is not a new type of vulnerability on sites such as eBay,” read a statement released by eBay on Friday. "This is related to the fact that we allow sellers to use active content like Javascript and Flash on our site. Many of our sellers use active content like Javascript and Flash to make their eBay listings more attractive. However, we are aware that active content may also be used in abusive ways.”

When security researchers first uncovered the vulnerability earlier this week the firm was heavily criticised for failing to react quickly to the problem and the news that it was around for even longer than first thought gives those researchers even more fuel.

Jamie is a freelance writer with over eight years experience writing for online audiences about technology and other topics. In his time writing for ITProPortal he wrote daily news stories covering the IT industry and the worldwide technology market, as well as features that covered every part of the IT market, from the latest start ups to multinational companies and everything encompassed by the IT sector. He has also written tech content for our sister publication, TechRadar Pro. Jamie has since moved into sports betting content and is Content Manager at Betbull.