Daily cyber threats and internet security news: network security, online safety and latest security alerts
May 27th, 2008

Another Cross-Site Scripting Vulnerability On eBay Domain Sites Allows Phishing

According to XSSed report, eBay is vulnerable to cross-site scripting (XSS) that might be abused by scammers in order to take advantage of eBay users account. JavaScript code injection can redirect users to fake phishing pages where users are asked to login to their account. Victims who click on what appears to be a genuine eBay search results are also vulnerable to malware infection.

Among affected domains there are:

Last years cross-site scripting vulnerability on eBay could trick people into handing over their personal information to scammers. eBay promptly patched the flaw, but experts wondered how long the fix can hold. Previous flaw was exactly the same and allowed a scammer to use this type of attack to redirect people from an eBay listing to a spoofed eBay site. A year ago experts said that hackers can easily modify JavaScript code to once again trigger the same behavior and it seems they were right.

Here is the vulnerability example from XSSed:

<SCRIPT>if (top == window)location.href =’’</SCRIPT>

The XSS issues were submitted to XSSed by S_e_YM_e_N, Azat Harutyunyan, and Uber0n.

The vulnerability was already reported to eBay but currently remains unfixed.

Share this item with others:

More on CyberInsecure:
  • Cross-Site Scripting Vulnerability On Paypal Could Be Used In Phishing Attacks
  • New Cross-Site Scripting Vulnerability Found On Facebook
  • Cross-site Scripting Vulnerability On Yahoo’s HotJobs Site Exposes Yahoo Accounts
  • Hacked Obama Site Redirects Visitors to Clinton’s Site
  • Cross-site Scripting Vulnerability Found In MI5 Website By A Hacker

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Another Cross-Site Scripting Vulnerability On eBay Domain Sites Allows Phishing

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.