Leading security researchers have called on eBay to take immediate action over dangerous listings, as the problem continues to put users at risk.
The BBC has now identified more than 100 listings that had been exploited to trick customers into handing over personal data.
Over the weekend, readers got in touch with the BBC, saying they had attempted to warn eBay about the problem.
The company said it would "continue to review all site features and content".
The BBC has found that:
- Innocent user accounts were hijacked in order to place the fake listings. Many of the accounts had 100% positive feedback, and had sold hundreds of items.
- One victim who had his account hijacked told the BBC he was locked out of his account - and later billed "around £35" by eBay to cover seller's fees for items he had not auctioned.
- When customers clicked on a listing that had been compromised, they were brought to a sophisticated, official-looking site that asked victims to log in and share bank account details.
- The types of items used to target victims ranged from smartphones and televisions to hot tubs and clothing.
The vulnerability centres around users' ability to place custom Javascript and Flash content into their listings pages.
Often sellers will use this method to make their pages look more exciting, with animations or other eye-catching techniques.
But use of Javascript and Flash, eBay acknowledged, significantly raised the likelihood that malicious code could be included within the site's pages - due to a hacking technique known as cross-site scripting (XSS).
It meant users clicking on eBay listings that appeared legitimate were being automatically re-directed to harmful websites designed to steal user information, including credit card details.
"The summary is that it is exceptionally dodgy and redirecting the user to a nasty web page with some really suspect scripts," said James Lyne from the security firm Sophos.
No comments:
Post a Comment