Back in September, eBay made the headlines due to a number of Cross Site Scripting (XSS) vulnerabilities found on their site. Following pressure from security experts and users, a few of these vulnerabilities were patched, although eBay were quoted as saying they would not remove the active content functionality which allows such attacks. In September, Acunetix also alerted eBay to a particular XSS vulnerability, but to date no action has been taken.
The particular vulnerability, discovered by Ian Muscat from the Acunetix Research & Development team, concerns the “active content” functionality of listings and presents the opportunity for hackers to gain access to seller accounts in order to create listings which could direct visitors to a third party site.
If you’re viewing a listing, then pay close attention to where you click. If you’re planning to purchase an item, make sure you do this through the usual eBay processes. If you click on a listing and a window opens asking for your login information and/or payment details then be suspicious, you could have been directed to a fraudulent site and might be giving your details to a cyber criminal.
What can the cyber criminal do once he gains access to your eBay account?
- Identity theft – At the very least, the cyber criminal has access to all the information in your Account settings, including all the shipping addresses that you have used. Such information is valuable on the black market, where criminals are always looking to purchase details of real people.
- Using your eBay account to buy potentially illegal products.
- Creating listings and therefore receiving money without sending the advertised item.
Acunetix takes this opportunity to wish you all a safe Christmas!