Online auction website eBay has played down the impact of a page redirect which may have seen user credentials stolen.
According to BBC News, a cross-site scripting (XSS) flaw on the eBay website saw a spoof site set up to look like the online marketplace’s welcome page, complete with a login section.
A spokesman for eBay played down the scope of the attack, telling BBC News that the report relates only to a ‘single item listing’ on eBay.co.uk whereby the user has included a link which redirects users away from the listing page. He said: “We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links.”
The BBC said that it identified three listings which had been posted by the same account involved. At least two of them produced the same redirect behaviour. The third was removed by eBay, along with the other two, before it could be checked.
Chris Oakley, principal security consultant at Nettitude, said: “XSS has been a known attack vector for many years. The impact of such an attack can be wide and varied; it is possible to leverage a cross-site scripting flaw to deliver malware to an unsuspecting victim or, as appears to be the case here, to redirect users to malicious sites designed to capture their credentials.
“eBay appears to have been vulnerable to a variant of XSS that allowed malicious code to be delivered to its users without any interaction between the attacker and the victim required, which is arguably the most severe form of this vulnerability.”
