Ebay was aware of security hole for months, claims security expert

Online marketplace Ebay was aware that users were in danger of having their log-in details stolen by "phishing websites" since early this year, according to an independent security expert.

Graham Cluley, independent security analyst who runs a blog on the subject, told The Drum that the vulnerability allowed advertisers to direct users to third-party sites that could “pretend to be eBay” allowing scammers to harvest log-in details and passwords.

He noted that the online auction company had been aware of the problem since February but apparently: “had not got proper control of the situation” - a situation Cluley said was “embarrassing for them”.

In response to our query a spokesperson for the online marketplace, commented: “Cross-site scripting, carried out by malicious individuals, is an issue affecting sites across the Internet.

"This is not a new type of vulnerability on sites such as Ebay and is related to how sellers use active content like JavaScript and Flash on our site. Many of our sellers use active content like JavaScript and Flash to make their Ebay listings perform better.”

Asked what Ebay could do to rectify the problem Cluley said that he did not see the need for users to be able to add flash and JavaScript to their ads just to “pimp up their listings,” and added that from a security point of view, “you don’t need dancing penguins to sell a product”.

However, an Ebay spokesperson told The Drum: “We have no current plans to remove active content from Ebay. However, we will continue to review all site features and content in the context of the benefit they bring our customers as well as overall site security.”

The statement continued: “We have hundreds of engineers, security and fraud specialists working around the clock to detect and take action against security issues, including cross site scripting links,” and urged users who detected phishing issues to report them to the site's administrators.

Ebay has experienced technical difficulties with its website this month, leaving many users unable to log-in.

JD

James Doleman

All by James