Skip to main content

eBay gets slammed for leaving user data exposed

eBay is being put under intense pressure by leading security researchers to take action over the dangerous listings that are tricking customers into giving away their personal data.

The vulnerability relates to user's ability to insert custom Javascript and Flash content into their listing pages, which significantly raises the likelihood of malicious code being included through a technique known as cross-site scripting (XSS).

Read more: eBay's latest security flaw has been stealing user passwords since February (opens in new tab)

The compromised pages appear as legitimate listings, but when clicked upon the user is automatically re-directed to a malicious website designed to steal personal information such as credit card details.

James Lyne, from security firm Sophos, said, "The summary is that it is exceptionally dodgy and redirecting the user to a nasty web page with some really suspect scripts.

"At present we can't get our hands on the end payload, so can't be sure of the attackers' complete motive, but it is clear there are still nasty malicious redirects on the eBay site."

It is unclear exactly how long this has been an issue on the site, with some experts saying that the problem has been present for over a year.

"Many of our sellers use active content like Javascript and Flash to make their eBay listings perform better," eBay said in a statement.

"We have no current plans to remove active content from eBay. However, we will continue to review all site features and content in the context of the benefit they bring our customers as well as overall site security."

Read more: eBay goes down for 10th time this year amid Internet blackouts (opens in new tab)

This stance has been heavily criticised by several industry professionals, including Mikko Hypponen from security firm F-Secure, "It's not OK for eBay to have cross-site scripting vulnerabilities on its website.

"If they can't make it work without the risk of exposing users to cross-site scripting, they shouldn't allow it."

Sam is Head of Content at Red Lorry Yellow Lorry, and has more than six years' experience as a reporter and content writer, having held the positions of Production Editor, Staff Writer, and Senior Business Writer at ITProPortal.