An IT worker from Scotland who is also an “eBay PowerSeller” has discovered an eBay listing for an iPhone that was rigged to redirect potential buyers to a spoofed eBay login page.
Paul Kerr happened upon the listing by chance, and immediately recognized the redirection for what it was: a phishing attempt. At the time, the advert had been up for 35 minutes, he noted, and he immediately notified eBay of the problem.
But, despite getting assurances that the matter will be dealt with immediately, the listing remained available for over 12 hours, Kerr claims. “They should have nailed that straight away, and they didn’t,” he commented.
To have a proof of his finding, Kerr captured a video of the attack:
All three listings have been removed by eBay, but its spokesman admitted the existence of only one. “We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links,” he added.
Chances are good that some people have fallen for this phishing scheme, but it’s difficult to say what the exact number could be.
This is not the first time that XSS vulnerabilities in the eBay website have been misused by malicious actors, and it probably won’t be the last.