eBay heavily criticized for leaving user data exposed

eBay is being put under intense pressure by leading security researchers to take action over the dangerous listings that are tricking customers into giving away their personal data.

The vulnerability relates to user's ability to insert custom JavaScript and Flash content into their listing pages, which significantly raises the likelihood of malicious code being included through a technique known as cross-site scripting (XSS).

The compromised pages appear as legitimate listings, but when clicked upon the user is automatically re-directed to a malicious website designed to steal personal information such as credit card details.

James Lyne, from security firm Sophos, said, "The summary is that it is exceptionally dodgy and redirecting the user to a nasty web page with some really suspect scripts.

"At present we can't get our hands on the end payload, so can't be sure of the attackers' complete motive, but it is clear there are still nasty malicious redirects on the eBay site".

It is unclear exactly how long this has been an issue on the site, with some experts saying that the problem has been present for over a year.

"Many of our sellers use active content like JavaScript and Flash to make their eBay listings perform better," eBay said in a statement.

"We have no current plans to remove active content from eBay. However, we will continue to review all site features and content in the context of the benefit they bring our customers as well as overall site security".

This stance has been heavily criticized by several industry professionals, including Mikko Hypponen from security firm F-Secure, "It's not OK for eBay to have cross-site scripting vulnerabilities on its website.

"If they can't make it work without the risk of exposing users to cross-site scripting, they shouldn't allow it".

Published under license from ITProPortal.com, a Net Communities Ltd Publication. All rights reserved.