eBay bans the use of cross-site scripting on the online tat bazaar because it can open up the site's users to nasty phishing vulnerabilities. And yet, according to the BBC, some auction listings have been exposed to the exploit since February this year.
Some users hunting for old iPhones could have been caught up in the security scam, it's been reported.
The Beeb said it spotted 64 listings from the past 15 days that had been exposed to cross-site scripting flaws in eBay's auction listing.
However, eBay downplayed the vuln on Friday and removed some listings from the site. A spokeswoman told the BBC:
Cross-site scripting is not allowed on eBay and we have a range of security features designed to detect and then remove listings containing malicious code.
But security expert Graham Cluley questioned eBay's seemingly lax response to phishing on its site.
"It would be nice to think that eBay, one of the world’s most popular websites, had its act together when it came to securing its content," he said in a blog post.
"After all, if a hacker were able to boobytrap auction pages on the site to redirect users to a phishing page that asked them to enter their eBay username and password, that would be a pretty bad thing. Right?"
eBay clearly dropped the ball by allowing the malicious script to find its way into auction entries – it’s the kind of code which should be stripped out of its pages, so there’s no possibility of any harm being done.