eBay security flaw has existed for months

  • Published
Ebay buy it now buttonImage source, Getty Images
Image caption,
Listings clicked on eBay automatically directed users to malicious websites

A flaw that has exposed eBay customers to malicious websites has been affecting the site since at least February, the BBC has found.

Earlier this week it was revealed how clicking on some listings automatically redirected users to the harmful sites.

EBay removed several posts, but said it was an isolated incident.

But the BBC has since found multiple listings, from multiple users, exploiting the same vulnerability.

Furthermore, several readers contacted the BBC detailing complaints they had made to the site.

In a statement, eBay said it had a dedicated team working on security, but that criminals "intentionally adapt their code and tactics to try to stay ahead of the most sophisticated security systems".

'Big problem'

A transcript from February this year showed user Paul Castle explaining the issue, in detail, to eBay support staff.

"I was just browsing in Digital Cameras and came across a password-harvesting scam," wrote Mr Castle during the online chat with eBay support staff.

Clicking on the listing link, Mr Castle explained, "transfers immediately to a password harvest scam page".

Image source, Ebay
Image caption,
A listing for an iPhone 5S contained code that sent users to a scam site

"This is potentially a big security problem for eBay users," he said, adding: "There could be hundreds."

EBay staff told Mr Castle that the problem had been escalated to "higher authorities".

Other users got in touch with the BBC to outline how they too had found listings that, when clicked on, behaved in the same way.

'Abusive ways'

EBay's search function allows users to find only completed auctions that are no more than 15 days old.

However, a brief search by the BBC uncovered 64 listings from the past 15 days that posed a danger to users.

In each case, it appears cross-site scripting (XSS) has been used to hijack the user's browsing - placed in the listings page using Javascript.

In a statement on Friday, a spokeswoman for eBay said: "This is not a new type of vulnerability on sites such as eBay.

Image source, Getty Images
Image caption,
EBay has been under scrutiny over other security issues earlier this year

"This is related to the fact that we allow sellers to use active content like Javascript and Flash on our site.

"Many of our sellers use active content like Javascript and Flash to make their eBay listings more attractive. However, we are aware that active content may also be used in abusive ways."

She added: "Cross-site scripting is not allowed on eBay and we have a range of security features designed to detect and then remove listings containing malicious code."

'A bad thing'

Image source, Ebay
Image caption,
The malicious links were for a wide variety of listings

Ebay has been criticised by security experts for not responding to the vulnerability quickly enough.

While some listings were removed after being reported, the underlying issue has yet to be fixed.

Ilia Kolochenko, XSS expert and chief executive of security firm High-Tech Bridge, said it was difficult for "large complicated sites to be completely free of XSS vulnerabilities".

But he said that once a particular XSS exploit was being used for malicious purposes - as demonstrated by the redirects to harmful websites - companies must act quickly to not just remove offending content, but to prevent the flaw being exploited again.

He said: "If someone has reported an issue to eBay, and the vulnerability was not fixed promptly, this is a bad thing."

Dr Steven Murdoch, from University College London's Information Security Research Group, agreed.

He told the BBC: "EBay should as a matter of priority have looked for all the other links which exploited the same vulnerability and removed these too, as well as closing off the vulnerability from future attackers.

"It's clear they need to be more careful about what they allow - particularly when it comes to Javascript."

Follow Dave Lee on Twitter @DaveLeeBBC