eBay: it's all down to the Java...
eBay: it's all down to the Java...

With the online auction portal coming up for its 20th anniversary next year - and rated the 27th most popular site on the Internet - eBay has been subject to a barrage of criticism over the years about forgeries on open sale, and contentious items sold on some of its country-specific sites. Now the auction giant has been rocketed by accusations that its structure allows cross-site site scripting (XSS) attacks to be quickly and easily carried out.

Research by the BBC has revealed that the ability to link to third-party Web sites from within a listing box - normally allowing access to data and pictures from portals such as Auctiva and others - can be hijacked to route to a third-party page designed to steal a user's credentials.

Reports of the XSS attack started circulating late yesterday, with the BBC noting that a malicious Javascript could be included in the product listing pages. This allowed the cybercriminals to route outside of eBay's normally limited range of third-party sites.

Interestingly, whilst eBay has sought to downplay the significance of the hack, the BBC claims to have found at least three listings using the Javascript XSS-based page jump technique.  

This isn't the first time that eBay's security has been compromised. In May of this year the auction giant mandated all its users to change their passwords after revealing that a database - apparently containing encrypted passwords and other credentials - had been compromised.

According to Chris Oakley, principal security consultant with Nettitude, XSS attacks have been a known attack vector for many years.

The impact of such an attack, he explained, can be wide and varied, and it is possible to leverage a cross-site scripting flaw to deliver malware to an unsuspecting victim or -  as appears to be the case here - to redirect users to malicious sites designed to capture their credentials.

"eBay appears to have been vulnerable to a variant of cross-site scripting that allowed malicious code to be delivered to its users without any interaction between the attacker and the victim required, which is arguably the most severe form of this vulnerability. XSS is currently ranked as number three in the OWASP Top Ten, which is an authoritative source of the most common web application vulnerabilities," he said.