Buying a cheap iPhone on eBay is dangerous!!!
The worlds most popular auction site eBay has come in for severe criticism as it appeared to fail to fix a cross-site scripting (XSS) vulnerability for approximately 12 hours, which allowed attackers to redirect genuine buyers to fall prey on a phishing page. eBay was notified about the cross-site scripting (XSS) vulnerability buy a IT worker from Scotland who is also a certified ‘eBay PowerSeller’.
Paul Kerr, a IT worker was surfing on eBay and happened to come on a iPhone listing. He discovered that the listing for that particular iPhone was rigged in such a manner as to redirect potential buyers to a cloned eBay page, which could easy steal the victims login details and then steal all the important credentials by logging in to official eBay site.
Paul Kerr said he happened to visit the listing by chance, and being from IT background, immediately recognized the redirection for what it was: a phishing attempt. At the time, the advert had been up for 35 minutes, he noted, and he immediately notified eBay of the problem.
The problem was that even after notifying eBay about the fake listing and the redirections, the security team of eBay took 12 hours to delete the listing. Kerr insisted that the listing was available to potential victims, despite getting assurances that the matter will be dealt with immediately from eBay. Kerr claims. “They should have nailed that straight away, and they didn’t,” he commented.
About the XSS
Once a potential clicked on these they were taken to cloned eBay log-in page. However, on further inspection the page is actually hosted elsewhere and has been designed to harvest user log-ins for the hackers. The victims login and password once saved by the hackers could be used to go the actual eBay site and steal the credit card/banking information saved by the victim for the purchases.
According to the BBC website, there were in total three listing posted by the same malicious seller, and at least two contained the redirection code. However, eBay security team confirmed existence of only one.
All three listings have been removed by eBay, the spokesman added that, “We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links”
It is not known how many eBay buyers may have fallen victim to this iPhone listing in the 12 hours that it was online. There are chances that a good number of people may have actually fallen in the hackers trap considering the iPhone’s popularity.
This is not the first time that XSS vulnerabilities in the eBay website have been misused by malicious actors, and it probably won’t be the last. Kerr made a video about the vulnerability and maybe this will help future buyers of eBay from noticing good from the bad.