UNSCRUPULOUS SCAMMERS are exploiting eBay and the Apple iPhone as part of a security attack.
An eBay user blew the whistle on the auction issue. While looking for an iPhone he came across an auction with a link that took him to a page outside eBay that looked a lot like eBay and asked for his eBay login credentials. He did not like the look of it.
That man is Paul Kerr, an eBay Powerseller and IT worker from Alloa in Clackmannanshire, Scotland, according to a report on the BBC. Kerr told BBC news that he told eBay about the issue but had not seen it fixed. The BBC reports that once it had spoken to eBay the auction was removed.
Security professional Graham Cluley is shocked by the incident and exclaimed that it could, and should, have been avoided.
"eBay clearly dropped the ball by allowing the malicious script to find its way into auction entries," he said. "It's the kind of code which should be stripped out of its pages, so there's no possibility of any harm being done."
Cluley said that eBay was suffering from a cross-site scripting flaw (XSS) that let the bad guys insert their third-party webpage redirect script and get away with it.
If there is a lesson here, it might be to not buy second-hand items on eBay, it might be to not buy anything on eBay or it might be to not expect websites to catch malicious script on their webpages.
We asked eBay, which has been the target of a lot of rather angry complaints in recent weeks, if it would like to comment. "The eBay corporate network has not been compromised. This appears to be a case of abuse by a user who placed malicious links within a few product listings on eBay.co.uk," said an eBay spokesperson.
"We take the safety of our marketplace very seriously and remove listings that are in violation of our policy on third-party links."
We are given to understand that the firm is shoring up its data centres following a number of service and uptime issues. Presumably it is also still coming to terms with the reaction to the password fiasco that blighted its reputation earlier this year. µ
Vulnerability targets hardware created by Infineon Technologies
Expect something commercial in 2019
Ex-employees say bugs were stolen and used in future attacks
Oreo flagship impresses with its market-leading camera and blazing-fast performance