Malicious eBay listings redirects iPhone buyers to phishing site

Buying a cheap iPhone on eBay is dangerous!!!

The worlds most popular auction site eBay has come in for severe criticism  as it appeared to fail to fix a  cross-site scripting (XSS) vulnerability for approximately 12 hours, which allowed attackers to redirect genuine buyers to fall prey on a phishing page.  eBay was notified about the cross-site scripting (XSS) vulnerability buy a IT worker from Scotland who is also a certified ‘eBay PowerSeller’.

Paul Kerr, a IT worker was surfing on eBay and happened to come on a iPhone listing.  He discovered that the listing for that particular iPhone was rigged in such a manner as to redirect potential buyers to a cloned eBay page, which could easy steal the victims login details and then steal all the important credentials by logging in to official eBay site.

Paul Kerr said he happened to visit the listing by chance, and being from IT background, immediately recognized the redirection for what it was: a phishing attempt. At the time, the advert had been up for 35 minutes, he noted, and he immediately notified eBay of the problem.

The problem was that even after notifying eBay about the fake listing and the redirections, the security team of eBay took 12 hours to delete the listing.  Kerr insisted that the listing was available to potential victims, despite getting assurances that the matter will be dealt with immediately from eBay. Kerr claims. “They should have nailed that straight away, and they didn’t,” he commented.

 About the XSS

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. In eBay’s case, the hackers had apparently exploited the common vulnerability to inject malicious Javascript into several listings for cheap iPhones which are in news recently due to the launch of iPhone6 and iPhone6 Plus.

Once a potential clicked on these they were taken to cloned eBay log-in page. However, on further inspection the page is actually hosted elsewhere and has been designed to harvest user log-ins for the hackers.  The victims login and password once saved by the hackers could be used to go the actual eBay site and steal the credit card/banking information saved by the victim for the purchases.

According to the BBC website, there were in total three listing posted by the same malicious seller, and at least two contained the redirection code.  However, eBay security team  confirmed existence of only one.

All three listings have been removed by eBay, the spokesman added that,  “We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links”

It is not known how many eBay buyers may have fallen victim to this iPhone listing in the 12 hours that it was online. There are chances that a good number of people may have actually fallen in the hackers trap considering the iPhone’s popularity.

This is not the first time that XSS vulnerabilities in the eBay website have been misused by malicious actors, and it probably won’t be the last.  Kerr made a video about the vulnerability and maybe this will help future buyers of eBay from noticing good from the bad.

LEAVE A REPLY

Please enter your comment!
Please enter your name here