Ina Steiner EcommerceBytes Blog
News and insight focusing on ecommerce.
by Ina Steiner, Editor of EcommerceBytes.com
Fri Sept 19 2014 20:23:48

BBC Reports on Security Flaw Gives eBay Black Eye

By: Ina Steiner

Sponsored Link

The BBC is back with a second story this week about a security flaw on eBay. We reported the BBC's original article from 2 days ago on the EcommerceBytes News forum. Today, the BBC is out with a follow-up article that claims the security flaw has been around for 6 months.

What's most damning about the report is that eBay told the BBC in its first story the flaw was an isolated incident, but the BBC claims to have found multiple listings from multiple users exploiting the same vulnerability.

"Furthermore, several readers contacted the BBC detailing complaints they had made to the site," including a user who provided the news service with a transcript from February in which he explained the issue in detail to eBay support staff, who told the user they had escalated his report to "higher authorities."

"In each case, it appears cross-site scripting (XSS) has been used to hijack the user's browsing - placed in the listings page using Javascript," the BBC wrote.

eBay responded to the BBC's inquiries with a statement in which it said it was not a new problem - it said in part, "Many of our sellers use active content like Javascript and Flash to make their eBay listings more attractive. However, we are aware that active content may also be used in abusive ways. Cross-site scripting is not allowed on eBay and we have a range of security features designed to detect and then remove listings containing malicious code."

Indeed, we've reported on such problems going back at least as far back as 2006.

But on top of the eBay security breach and recent outages, this is not the kind of publicity eBay can shrug off.

Update 9/22/14: BBC continues to hammer away at eBay over this issue, here is its latest article from September 22nd.




Comments (46) | Leave Comment | Permalink

Readers Comments

Perminate Link for BBC Reports on Security Flaw Gives eBay Black Eye   BBC Reports on Security Flaw Gives eBay Black Eye

This user has validated their user name. by: Ming the Merciless

Fri Sep 19 20:35:23 2014

It'a good to see that the beeb has more cojones than American networks that cower in the presence of His Corporateness.

Ebay doesn't are who gets hurt as long as it isn't them.

The arrogance and contemptible behavior has no end.

Perminate Link for BBC Reports on Security Flaw Gives eBay Black Eye   BBC Reports on Security Flaw Gives eBay Black Eye

This user has validated their user name. by: Philip Cohen
Web Site

Fri Sep 19 23:26:52 2014

"... However, we are aware that active content may also be used in abusive ways. Cross-site scripting is not allowed on eBay and we have a range of security features designed to detect and then remove listings containing malicious code."

Fortunately, it’s very easy for anyone to tell when an eBay or "PreyPal" spokesperson is being disingenuous—their lips are moving! ... http://bit.ly/11F2eas

Perminate Link for BBC Reports on Security Flaw Gives eBay Black Eye   BBC Reports on Security Flaw Gives eBay Black Eye

by: P.Dorf This user has validated their user name.

Sat Sep 20 05:28:00 2014

ah, those same security features designed to protect user information...look at capps youtube vids (& elsewhere)to see this xss flaw has been going on for YEARS!

Perminate Link for BBC Reports on Security Flaw Gives eBay Black Eye   BBC Reports on Security Flaw Gives eBay Black Eye

by: maxmad This user has validated their user name.

Sat Sep 20 05:47:04 2014

it has gone on for quite a while, we have experienced many times, where our real-time virus protection halted an ebay page, from loading for virus warnings,

They have caused us much grief, as we would have to then bring our business to a stop, take al our pc's offline,  do Full scans of our computers and network data, and to determine the damage and clean the malicious code / virus.

Ebay is full of crap, a disgraceful poorly programmed and not to be trusted entity .

 

Perminate Link for BBC Reports on Security Flaw Gives eBay Black Eye   BBC Reports on Security Flaw Gives eBay Black Eye

by: maxmad This user has validated their user name.

Sat Sep 20 05:52:42 2014

FYI the last time this happened to us, (about a month ago ) the malicious code was embedded in an ebay guide, not a listing,  

Perminate Link for BBC Reports on Security Flaw Gives eBay Black Eye   BBC Reports on Security Flaw Gives eBay Black Eye

by: Russ This user has validated their user name.

Sat Sep 20 06:59:45 2014

A related article referencing the BBC appears on Engadget.  Written by Sean Buckley, his article refers to listings for used iPhones with re-directs to bogus eBay log-in pages...a nice tie-in to their TV ad campaign for that  $100 coupon if your phone doesn't sell.

Interestingly, when I clicked on the author's bio, there was a banner ad above the bio for eBay vs Verizon and how selling your phone on eBay could result in $150.00 more than if traded via Verizon...too much!

Come on down to the ''bay'' because the ''phising'' is great!

Perminate Link for BBC Reports on Security Flaw Gives eBay Black Eye   BBC Reports on Security Flaw Gives eBay Black Eye

by: brokentoys19 This user has validated their user name.

Sat Sep 20 07:40:16 2014

Let me reiterate from another post here. This has been going on, and they have known about (and dismissed) it since 1999!

(Internet Archives)
"Web Application Security Consortium - Web hacking Incidents Database (WHID) - View Incident By ID

WHID 1999-1: eBay downplays security hole
Reported: 04 April 2006
Occurred: 19 April 1999

Classifications:

  Attack Method: Cross Site Scripting (XSS)
  Country: USA
  Outcome: Disclosure Only

A very early XSS issue at eBay. Interesting historically as it seems that at the time the term XSS was not yet in use.

References:

  eBay downplays security hole
  News Story, CNet, 19 April 1999
  'EBayla' Bug Strikes eBay
  News Story, Wired, 19 April 1999
  The Ebayla Bug And How To Protect Yourself
  Advisory, Because We Can (Miror), 21 April 1999

http://bit.ly/1DozDYg


Also see this and the infos in the description there:
http://youtu.be/Mb8UcBfvU6o and/or search youtube for ebay xss to see countless other live examples from all kinds of v-bloggers.


Ridiculous! The most rinky-dink forums, free email service, blog comments areas etc all strip javascripting (and/or other active content) from user generated content. Ebay should too, the risk far outweighs whatever perceived advantages are. But then again, hacking and ID theft victims are just noise.

One can be glad they are not in the child care business. They would argue that leaving your kids in a hot car to die is somehow acceptable.

Perminate Link for BBC Reports on Security Flaw Gives eBay Black Eye   BBC Reports on Security Flaw Gives eBay Black Eye

by: DingDong This user has validated their user name.

Sat Sep 20 08:37:02 2014

Thank you BBC for pointing and stating this in public. I guess eBay hasn't paid off that government where in the USA the government poo poos it.

Perminate Link for BBC Reports on Security Flaw Gives eBay Black Eye   BBC Reports on Security Flaw Gives eBay Black Eye

by: brokentoys19 This user has validated their user name.

Sat Sep 20 09:33:09 2014

from the bbc article:
She [ebay spokesperson] added: "Cross-site scripting is not allowed on eBay and we have a range of security features designed to detect and then remove listings containing malicious code."

This is another example of doubletalk lies. They don't allow counterfeit either, but they just partnered with China knockoff manufacturers to flood the site with fake vintage goods.

They allow if not sanction whatever they can profit from, laws, morality, common decency be damned.

Burn down the house of ebay!

Perminate Link for BBC Reports on Security Flaw Gives eBay Black Eye   BBC Reports on Security Flaw Gives eBay Black Eye

by: OnlyPollyPocket This user has validated their user name.
Web Site

Sat Sep 20 09:53:50 2014

When I was a little girl, my grandma said ''protect your reputation at all costs; once lost it is nearly impossible to recover.''  Guess ebay didn't have a grandma ;)

Almost without exception, when I mention that I sell online, I hear ''On ebay?'' coupled with a wrinkling of the nose.

Perminate Link for BBC Reports on Security Flaw Gives eBay Black Eye   BBC Reports on Security Flaw Gives eBay Black Eye

This user has validated their user name. by: Ric

Sat Sep 20 10:21:16 2014

I am amazed that Wall Street analysts continue to speak positively and recommend this IT stock given the massive site vulnerabilities. eBay will do nothing about site security unless the site is attacked or unless their Wall Street Masters demand the company takes swift and definitive action to protect the site.

eBay skimps on site security because site security costs real money to implement and eBay wants to show Wall Street profits which are not depleted by such mundane things as expensive costs related to site security.

eBay is so busy trying to please their Wall Street Masters financial expectations, that unless and until there is a problem, eBay will not address it since eBay applies band aids to security issues and does not take the time or dedicate the funds to actually upgrade security on the site.

Since Wall Street actually dictates how eBay spends their money, it is time that Wall Street demands an IT company like eBay make real and significant improvements to address all aspects of site security.  

Perminate Link for BBC Reports on Security Flaw Gives eBay Black Eye   BBC Reports on Security Flaw Gives eBay Black Eye

This user has validated their user name. by: InternetCarScams
Web Site

Sat Sep 20 11:01:09 2014

Nothing new. XSS redirects have been going on since 2006 that i know of. The older ones used flash that may still be in use.

I produced this screen video in February this year, and used a Firefox plugin "no-script" to disable "JavaScript" and show the line of code that was redirecting the shopper elsewhere.

This was on eBay Motors UK. The motors site was infested with pages of redirects. http://wp.me/p4zfF4-2tw

Perminate Link for BBC Reports on Security Flaw Gives eBay Black Eye   BBC Reports on Security Flaw Gives eBay Black Eye

This user has validated their user name. by: Anonymous Annie

Sat Sep 20 11:29:09 2014

These are probably the same programmers who thought it was a good idea to prohibit the word ''cookie'' from being used in a listing.

See: http://tinyurl.com/qdho6y3

or

http://www.ecommercebytes.
com/C/letters/blog.pl?/pl/2012/5/1337096576.html

Apparently,
because they were under the myopic impression that ANY use of the word ''cookie'' was some sort of attempt to read, or place, cookies in the buyer's web browser.

Perminate Link for BBC Reports on Security Flaw Gives eBay Black Eye   BBC Reports on Security Flaw Gives eBay Black Eye

by: Santini This user has validated their user name.

Sat Sep 20 11:55:04 2014

I remember, long, long before I had any dealings with ebay when I heard the company was going public, I thought it could no longer be the described "community" of sellers and buyers as it was back in the day. It would be forced to become the quarterly report driven servant of the wall street "community".

Perminate Link for BBC Reports on Security Flaw Gives eBay Black Eye   BBC Reports on Security Flaw Gives eBay Black Eye

by: WhatsUp2656 This user has validated their user name.

Sat Sep 20 12:48:43 2014

@Ming. I would love to connect with you and I'm not sure if that is possible. I realize and understand fully your rightful anger.

Perminate Link for BBC Reports on Security Flaw Gives eBay Black Eye   BBC Reports on Security Flaw Gives eBay Black Eye

by: brokentoys19 This user has validated their user name.

Sat Sep 20 13:33:29 2014

Paul Kerr, the person who posted the latest video
http://youtu.be/WT5TG_LvZz4

Reports finding another one, right under ebay's nose! [facepalm]

The link to a search for it is there  in comments, a mile long. (item #111468228887) , redirects to trans-insular.com. The page has been taken down, but the active listing is still present upon ebay, redirect from ebay persists

Perminate Link for BBC Reports on Security Flaw Gives eBay Black Eye   BBC Reports on Security Flaw Gives eBay Black Eye

by: brokentoys19 This user has validated their user name.

Sat Sep 20 13:41:34 2014

Seller funnycat737, most likely hijacked account, shows 2 of the listings.

http://www.ebay.co.uk/sch/funnycat737/m.html

Great work ebay!  What was that you were saying about cross scripting not being allowed?  

Perminate Link for BBC Reports on Security Flaw Gives eBay Black Eye   BBC Reports on Security Flaw Gives eBay Black Eye

This user has validated their user name. by: The End

Sat Sep 20 13:46:51 2014

Black Eye ? We LOVE when that happens  :o)
All Ebay has to do is :
Remove ALL links to NON-EV SSL sites and the problem is SOLVED.
Of course they Could also make a filter to detect the XSS java script in the listings.
But they're too busy using the filter that detects the words MONEY ORDER, CHECK, & NO PAYPAL.
Morons in charge.
Hey Jack ! Take Ebay over !

Perminate Link for BBC Reports on Security Flaw Gives eBay Black Eye   BBC Reports on Security Flaw Gives eBay Black Eye

by: brokentoys19 This user has validated their user name.

Sat Sep 20 13:57:44 2014

Re: " But they're too busy using the filter that detects the words MONEY ORDER, CHECK, & NO PAYPAL. "

Exactly! Makes me believe they must have found a way to monetize those listings. Because everything else goes POOF! in a heartbeat.

Paul Kerr also found others and has since posted another video

"ebay hacked again . 19/1/14 3nd night .... wow i would think they would have fixed this "

http://youtu.be/moyQxPQ9pJg

Perminate Link for BBC Reports on Security Flaw Gives eBay Black Eye   BBC Reports on Security Flaw Gives eBay Black Eye

This user has validated their user name. by: Puck

Sat Sep 20 15:07:21 2014

I was listing some unsold retread auctions yesterday through SYI Sell Similar.

On the review listing window I was prompted to sign into my account with what appeared to be the regular eBay log in page.

I just dumped the listings and moved on.

Click to view more comments
1 2 3  [Next Page]


Login is required to post comments.
To sign in to leave a comment using your AB Verify User Name, fill in the form below. If you have not yet signed up for AB Verify, or if you'd like more information, go to the Registration Page
.

Login for AB Verify
Be sure and use your email address and password to log in.

 
Email:
Password:
 
 Forgot Your Password?
 Even though you are signed in with the AuctionBytes Blog, you will have to sign in to the EcommerceBytes blog. But you can sign in with your existing AB Verify info.