eBay Man-In-The-Middle Endangers Puts Customer Credentials At Risk

Hackers compromised some listings on the online marketplace in a way that redirects shoppers to a site that can steal their personal information.

For example, a listing for an iPhone 5S contained code that resulted in users being sent to the mock site. The site resembles the eBay’s welcome page.

The company was alerted to the hack on Wednesday night but took down the listings only after a follow-up call from the BBC more than 12 hours later..

The hijacking was accomplished by a technique known as a cross-site scripting (XSS).

“It involved the attackers placing malicious Javascript code within product listing pages,” BBC explains. “This code in turn automatically redirected affected users through a series of other websites, so that they ended up at the page asking for their eBay log-in and password.”

Users merely had to click the original listing to have their browser attacked.

"The websites the user is being redirected to are almost certainly compromised by the attacker

The sham page the users ultimately arrived at contained code that had the potential to carry out further malicious activity.

A spokesman for eBay downplayed the hack. "This report relates only to a 'single item listing' on eBay.co.uk whereby the user has included a link which redirects users away from the listing page," he said. "We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links."

But BBC identified three listings that had been posted by the same account involved.

At least two of them produced the same malicious effect.

The issue was originally discovered by Paul Kerr, an IT worker from Alloa in Clackmannanshire who is also an "eBay PowerSeller".

He screen-grabbed a video of the fraud, which he uploaded to YouTube as evidence.

He called the firm shortly after he had clicked on the listing for an iPhone and been redirected. At that time, the advert had been up 35 minutes.

"When I spoke to the lassie on the phone, she said: 'I'm going to report that to the highest level of security to get it looked into,’” Kerr told the BBC.  "They should have nailed that straight away, and they didn't,” he said.