eBay redirect attack puts buyers' credentials at risk

  • 17 September 2014
  • 7 replies
  • 3 views

Userlevel 7
Badge +54
By Leo Kelion Technology desk editor
 


 
A listing for an iPhone 5S contained code that resulted in users being sent to a scam site
 
 
EBay has been compromised so that people who clicked on some of its links were automatically diverted to a site designed to steal their credentials.
 
The spoof site had been set up to look like the online marketplace's welcome page.
 
The US firm was alerted to the hack on Wednesday night but removed the listings only after a follow-up call from the BBC more than 12 hours later.
 
One security expert said he was surprised by the length of time taken.
 
"EBay is a large company and it should have a 24/7 response team to deal with this - and this case is unambiguously bad," said Dr Steven Murdoch from University College London's Information Security Research Group.
 
Full Article
 

7 replies

Userlevel 7
Thanks @ ... I never did like eBay...
Userlevel 7
Badge +52
Userlevel 7
Badge +54
by Lisa Vaas on September 19, 2014
 
 http://sophosnews.files.wordpress.com/2014/09/ebay_ss_170.jpg?w=640eBay's getting flak for its chilled response to a serious attack.
On Wednesday, a redirect attack was discovered on the auction site, working to grab customers' credentials on a spoofed eBay site.
The company left up the listing, which appeared to be advertising an iPhone 5S for sale, for 12 hours after it was reported on Wednesday night.
Paul Kerr, an IT worker from Alloa in Clackmannanshire who the BBC says is also an "eBay PowerSeller", is responsible for finding and reporting the attack, having clicked on the listing and then having been bounced around through a series of pages.
 
Full Article
Userlevel 7
This is alarming news, I know many of my family members use e bay
Userlevel 7
Badge +54
By Dave Lee and Leo Kelion BBC News
 


 
Leading security researchers have called on eBay to take immediate action over dangerous listings, as the problem continues to put users at risk.
The BBC has now identified more than 100 listings that had been exploited to trick customers into handing over personal data.
Over the weekend, readers got in touch with the BBC, saying they had attempted to warn eBay about the problem.
The company said it would "continue to review all site features and content".
 
Full Article
Userlevel 7
Author: Zeljka Zorz/ HNS Managing Editor/ Posted on 22 September 2014.
 
Pressure is mounting against eBay to quickly detect and remove bogus listings triggering cross-site scripting flaws to redirect users to phishing and other malicious pages.

This particular problem exists for years because eBay allows the use of custom Javascript and Flash content on listings pages so that they might "pop out" and attract more potential buyers.

EBay has generally been doing a good job removing malicious listings, but every now and then they slip up and the number of these listings spikes for a while, as it's currently happening.

 
 
Help Net Security/ full article here/ http://www.net-security.org/secworld.php?id=17393
Userlevel 7
By Sam Pudwell  Posted on 9/26=5/2014
 


 
 
eBay is being put under intense pressure by leading security researchers to take action over the dangerous listings that are tricking customers into giving away their personal data.
The vulnerability relates to user's ability to insert custom JavaScript and Flash content into their listing pages, which significantly raises the likelihood of malicious code being included through a technique known as cross-site scripting (XSS).
 The compromised pages appear as legitimate listings, but when clicked upon the user is automatically re-directed to a malicious website designed to steal personal information such as credit card details.
James Lyne, from security firm Sophos, said, "The summary is that it is exceptionally dodgy and redirecting the user to a nasty web page with some really suspect scripts.
"At present we can't get our hands on the end payload, so can't be sure of the attackers' complete motive, but it is clear there are still nasty malicious redirects on the eBay site".
It is unclear exactly how long this has been an issue on the site, with some experts saying that the problem has been present for over a year.
 
betanews/ full article here/ http://betanews.com/2014/09/25/ebay-heavily-criticized-for-leaving-user-data-exposed/

Reply