eBay’s getting flak for its chilled response to a serious attack.
On Wednesday, a redirect attack was discovered on the auction site, working to grab customers’ credentials on a spoofed eBay site.
The company left up the listing, which appeared to be advertising an iPhone 5S for sale, for 12 hours after it was reported on Wednesday night.
Paul Kerr, an IT worker from Alloa in Clackmannanshire who the BBC says is also an “eBay PowerSeller”, is responsible for finding and reporting the attack, having clicked on the listing and then having been bounced around through a series of pages.
eBay only took the listing down after the BBC called to follow up on it, the news outlet reports.
A security researcher – Dr. Steven Murdoch from University College London’s Information Security Research Group – was able to analyse the workings of the malevolent listing before eBay removed it.
He found that the attack was employing cross-site scripting (XSS) – a common technique used to break into websites that works by exploiting a flaw in a site that then allows for the injection of client-side script code by unauthorized users.
Twitter, for its part, in June had to jump to block an XSS worm in Tweetdeck that was allowing users to inject script code into a tweet to take advantage of the Tweetdeck bug and execute code inside the browser of Tweetdeck users.
In the case of eBay, all users had to do for their browsers to be hijacked was to click on the boobytrapped listing.
eBay reportedly downplayed the attack. The BBC quoted a spokesman:
This report relates only to a 'single item listing' on eBay.co.uk whereby the user has included a link which redirects users away from the listing page.
We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links.
The “single listing” part of that isn’t true, says the BBC, which went on to identify three rigged listings that it says were posted by one account – two of which were conducting redirects, one of which eBay removed before it could be checked.
Kerr managed to record a video of the attack in progress that he posted to YouTube.
He didn’t fall for it, himself, having noticed that the web address of the page he was sent to looked funky.
That’s a good reminder for the rest of us: keep an eye on that URL, most particularly when you find yourself unexpectedly getting led through a maze of pages!Follow @NakedSecurity