The British website of online retailer eBay was compromised through a cross-site scripting (XSS) vulnerability, exploited to steal customers` login credentials, according to the BBC.
Attackers apparently planted malicious Javascript code in product listings to redirect eBay customers interested in cheap Apple smartphones to a spoofed eBay welcome page. Once there, they were asked to enter their account username and password.
The incident was first reported by Paul Kerr, an IT worker from Scotland who contacted eBay and was told that the matter would be considered “of the highest level of security”.
However, the company was criticized for its 12-hour response time in fixing the issue.
“eBay is a large company and it should have a 24/7 response team to deal with this – and this case is unambiguously bad,” said Steven Murdoch from University College London’s Information Security Research Group.
In a statement, the retailer said the issue only affected one item listed on the UK site, information questioned by the BBC.
“This report relates only to a Ëœsingle item listing` on eBay.co.uk whereby the user has included a link which redirects users away from the listing page,” a spokesperson said. “We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links.”
tags
Alexandra started writing about IT at the dawn of the decade - when an iPad was an eye-injury patch, we were minus Google+ and we all had Jobs.
View all posts