eBay JavaScript Attack Puts Users at Risk

TwitterGoogle+FacebookLinkedInPinterestTumblrStumbleUponRedditShare This

Alvin Bryan

Alvin Bryan is a freelance writer and online privacy enthusiast enthusiast currently contributing quality tips and troubleshooting on personal VPN services, and online privacy and security news. You can also find him on Google +.

Since February this year, there has been a nasty error on eBay. The bug has put users in the grasp of malicious websites via certain eBay listings. JavaScript code that had been inserted into product pages is responsible. eBay is taking heat over this incident, so close to the February data breach that put millions of users’ data at risk.

Malicious JavaScript on Listings

Malicious eBay JavaScript is notoriously dangerous code. It can be manipulated to execute different actions than was originally intended, as in the recent Xfinity ad scandal. It can also go wrong of its own accord, creating holes in website security that can be exploited, as with last year’s HTML5 issue. This time, malicious code was placed directly on eBay product listings. eBay finally announced this problem, but failed to alert users early on. Customers on the site since February could have been subject to identity theft without their knowledge. This is another blunder by the huge auction site, which also failed to respond in a timely manner to the earlier Rosetta Flash attack. eBay database and daughter site StubHub was also attacked last July.

eBay suffered a data breach last February which is related to this security issue. Then, an estimated 233 million people’s personal details were stolen. Users had to change their passwords in May to secure their accounts. But now we learn that the malicious script was still on the site. Even if they changed their passwords after the February data breach, users were still vulnerable to having their new credentials stolen. Now that eBay says the problem has been fixed, users need to change their eBay login passwords again to protect their accounts.

eBay JavaScript MalwareWhat the JavaScript did on eBay was to redirect users to other websites until they found themselves on a fake eBay page. This page asked users to enter their usernames and passwords again. It was intended to steal user identities, according to analysts. According to eBay, the script targeted top users of the site whose trusted accounts were used to attract other users to the malicious links. The hackers implanted phishing techniques into the site that were undetectable to eBay’s anti-malware scanners.

Users Beware

Customers on eBay who have experienced being logged in then being inexplicably asked to enter their usernames and passwords again are urged to change their passwords. eBay announced that the posts containing the malicious JavaScript code have been deleted and that the site is now clean. But users who may have been affected between the time of the first password change and now need to take this precaution. Sophos security company representative James Lyne says that some redirects still exist on the site, and the actual end goal of the hackers is still a mystery.

The bottom line is that eBay just does not have many security systems in place to catch attackers. They don’t even have common ones like unknown IP detection. eBay tried to ease users’ minds by saying that these types of attacks are common and target a lot of different sites. But the truth is that the particular exploit that got past eBay’s minimal defenses is an old one. Even a spokesperson from eBay said that it could have been averted had the site disallowed the use of dangerous code like JavaScript and Flash. eBay needs to stop blaming their users, though, and start taking a serious interest in customer data protection.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>