eBay: Buyer Credentials At Risk With Spoof Ads

UPDATE: It has been discovered that the security flaw has actually existed since February. The number of ads identified has rose from 4 ads from 4 different eBay accounts to hundreds across multiple accounts overnight. Details show that the issue was identified and reported by multiple users in February however eBay has done nothing to combat this issue until now. Items listed include smartphones, digital cameras, clothes and household items.

eBayWednesday night was not only the release of Apple’s iOS 8, but also the night that eBay discovered spoof ads on their network which attempted to steal buyer credentials through diverted pages which linked to a fake page replication the eBay marketplace welcome page. From here a user is asked to sign in, exploiting their login credentials.

Despite being made aware of the hack on the night, eBay only removed these spoof ads following a call from the BBC over 12 hours later. Considering the number of security incident with eBay this year alone, it is very surprising that a 24/7 response team is not already in place to resolve issues like these promptly before users are affected.

The spoof ads were up long enough for security experts to analyse the listings prior to removal, allowing them to identify that the method used was in fact a cross-site scripting (XSS) attack. This is where malicious JavaScript codes are posted within a product listing page, taking the users through multiple malicious pages in order to take their details and plant malware upon their devices. In this instance, it took only one click of the link in order for the browser to be hijacked, with code present with the potential to carry out additional malicious actions.

The initial user who discovered the compromised page only noticed due to an unusual web address that they were linked to, suggesting that anyone with limited tech knowledge would have been fooled, not knowing any different. This being said, we can probably guarantee that many a user has fallen to the bait, meaning someone out there somewhere will have virtually full access to buyer accounts.

The account that initially posted the malicious ads only had 3 posts, however there is nothing stopping them from using the accounts accessed to spread this compromise further across the web, giving them access to even more user finance details.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.