Back in September, eBay made the headlines due to a number of Cross Site Scripting (XSS) vulnerabilities found on their site. Following pressure from security experts and users, a few of these vulnerabilities were patched, although eBay were quoted as saying they would not remove the active content functionality which allows such attacks. In September, Acunetix also alerted eBay to a particular XSS vulnerability, but to date no action has been taken.

The particular vulnerability, discovered by Ian Muscat from the Acunetix Research & Development team, concerns the “active content” functionality of listings and presents the opportunity for hackers to gain access to seller accounts in order to create listings which could direct visitors to a third party site.

‘Active content’ is the element of creating a listing which allows sellers to use Flash or Javascript to enhance and customise their listing. The problem with this is when sellers are duped into using ‘free’ code from third party websites, offering enhanced customisation of their listing. The same code would also contain active content that would hijack the account. Alternatively, the attacker could hijack a seller’s account to create these listings, as a trusted seller would receive more traffic and open the door to more victims.

If you’re a regular seller you’ll be aware of this functionality on your listings and if you use it to customise your listings then it’s very important to be careful what code you insert. Can you really trust that website offering you free Javascript to customise your listings? To avoid an eBay hack it’s important to be careful and use only trusted sources or you risk your account being hacked or your listing directing customers to fraudulent pages. Ideally the code should be reviewed by a security engineer before it is placed in your eBay listing.

If you’re viewing a listing, then pay close attention to where you click. If you’re planning to purchase an item, make sure you do this through the usual eBay processes. If you click on a listing and a window opens asking for your login information and/or payment details then be suspicious, you could have been directed to a fraudulent site and might be giving your details to a cyber criminal.

What can the cyber criminal do once he gains access to your eBay account?

  • Identity theft – At the very least, the cyber criminal has access to all the information in your Account settings, including all the shipping addresses that you have used. Such information is valuable on the black market, where criminals are always looking to purchase details of real people.
  • Using your eBay account to buy potentially illegal products.
  • Creating listings and therefore receiving money without sending the advertised item.

Acunetix takes this opportunity to wish you all a safe Christmas!


Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.