eBay sellers attempt to steal log-ins: What to tell your users

Cross-site scripting attacks, one of the most common tactics for hacking accounts, were recently found on eBay, one of the largest online retailers out there. Here’s how to keep your users safe – no matter which sites they’re on. 

Falling victim to a cross-site scripting attack may be easier than it seems. A security researcher found that when he tried opening a listing for an iPhone, he was redirected to a page that required him to re-enter his eBay username and password.

Only the log-in page wasn’t on eBay at all. It was a third-party site designed to look exactly like eBay’s home page that would steal the account credentials among other potential security threats.

Worse yet, even after being alerted to the malicious link, eBay took more than 12 hours to remove it from their site.

Keeping users safe

The attacker was able to insert malicious Javascript code in the post to cause the redirect. This is a notoriously frequent cause of bugs and crashes. Preventing these attacks leaves users mostly at the mercy of the server side being kept secure.

(With recent password breaches against eBay and its ticket re-selling partner StubHub, that might not be a very comforting position for IT managers to be in.)

But there are things users can do to help avoid getting caught in a cross-site scripting attack:

  • Check the URL. Users should make sure that the address of the page they’re on matches up with where they intend to be. In this case, the URL for the eBay log-in page was completely different. In others, they’ll use a similar looking or slightly misspelled URL.
  • Keep browsers up-to-date. An up-to-date browser will detect and deflect many cross-site scripting vulnerabilities. It’s usually best to work from the most recent version.
  • Look for unexpected behavior. If a page is redirecting you to enter sensitive information out of nowhere, it could be a sign there’s something malicious going on.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy