Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Bargain basement iPhone shoppers BEWARE! eBay exposes users to phishing vuln

Tat bazaar downplays malicious attack on multiple auctions

eBay bans the use of cross-site scripting on the online tat bazaar because it can open up the site's users to nasty phishing vulnerabilities. And yet, according to the BBC, some auction listings have been exposed to the exploit since February this year.

Some users hunting for old iPhones could have been caught up in the security scam, it's been reported.

The Beeb said it spotted 64 listings from the past 15 days that had been exposed to cross-site scripting flaws in eBay's auction listing.

However, eBay downplayed the vuln on Friday and removed some listings from the site. A spokeswoman told the BBC:

This is related to the fact that we allow sellers to use active content like Javascript and Flash on our site.

Many of our sellers use active content like Javascript and Flash to make their eBay listings more attractive. However, we are aware that active content may also be used in abusive ways.

Cross-site scripting is not allowed on eBay and we have a range of security features designed to detect and then remove listings containing malicious code.

But security expert Graham Cluley questioned eBay's seemingly lax response to phishing on its site.

"It would be nice to think that eBay, one of the world’s most popular websites, had its act together when it came to securing its content," he said in a blog post.

"After all, if a hacker were able to boobytrap auction pages on the site to redirect users to a phishing page that asked them to enter their eBay username and password, that would be a pretty bad thing. Right?"

He added:

eBay clearly dropped the ball by allowing the malicious script to find its way into auction entries – it’s the kind of code which should be stripped out of its pages, so there’s no possibility of any harm being done.

®

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like