Online marketplace Ebay was aware that users were in danger of having their log-in details stolen by "phishing websites" since early this year, according to an independent security expert.
Graham Cluley, independent security analyst who runs a blog on the subject, told The Drum that the vulnerability allowed advertisers to direct users to third-party sites that could “pretend to be eBay” allowing scammers to harvest log-in details and passwords.
He noted that the online auction company had been aware of the problem since February but apparently: “had not got proper control of the situation” - a situation Cluley said was “embarrassing for them”.
In response to our query a spokesperson for the online marketplace, commented: “Cross-site scripting, carried out by malicious individuals, is an issue affecting sites across the Internet.
However, an Ebay spokesperson told The Drum: “We have no current plans to remove active content from Ebay. However, we will continue to review all site features and content in the context of the benefit they bring our customers as well as overall site security.”
The statement continued: “We have hundreds of engineers, security and fraud specialists working around the clock to detect and take action against security issues, including cross site scripting links,” and urged users who detected phishing issues to report them to the site's administrators.
Ebay has experienced technical difficulties with its website this month, leaving many users unable to log-in.