This article is from the source 'bbc' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.
You can find the current article at its original source at http://www.bbc.co.uk/news/technology-29310042
The article has changed 4 times. There is an RSS feed of changes available.
| Version 1 | Version 2 |
|---|---|
| eBay under pressure as hacks continue | eBay under pressure as hacks continue |
| (36 minutes later) | |
| Leading security researchers have called on eBay to take immediate action over dangerous listings, as the problem continues to put users at risk. | Leading security researchers have called on eBay to take immediate action over dangerous listings, as the problem continues to put users at risk. |
| The BBC has now identified more than 100 listings that had been exploited to trick customers into handing over personal data. | The BBC has now identified more than 100 listings that had been exploited to trick customers into handing over personal data. |
| Over the weekend, readers got in touch with the BBC, saying they had attempted to warn eBay about the problem. | Over the weekend, readers got in touch with the BBC, saying they had attempted to warn eBay about the problem. |
| The company said it would "continue to review all site features and content". | The company said it would "continue to review all site features and content". |
| The BBC has found that: | The BBC has found that: |
| The vulnerability centres around users' ability to place custom Javascript and Flash content into their listings pages. | The vulnerability centres around users' ability to place custom Javascript and Flash content into their listings pages. |
| Often sellers will use this method to make their pages look more exciting, with animations or other eye-catching techniques. | Often sellers will use this method to make their pages look more exciting, with animations or other eye-catching techniques. |
| But use of Javascript and Flash, eBay acknowledged, significantly raised the likelihood that malicious code could be included within the site's pages - due to a hacking technique known as cross-site scripting (XSS). | But use of Javascript and Flash, eBay acknowledged, significantly raised the likelihood that malicious code could be included within the site's pages - due to a hacking technique known as cross-site scripting (XSS). |
| It meant users clicking on eBay listings that appeared legitimate were being automatically re-directed to harmful websites designed to steal user information, including credit card details. | It meant users clicking on eBay listings that appeared legitimate were being automatically re-directed to harmful websites designed to steal user information, including credit card details. |
| "The summary is that it is exceptionally dodgy and redirecting the user to a nasty web page with some really suspect scripts," said James Lyne from the security firm Sophos. | "The summary is that it is exceptionally dodgy and redirecting the user to a nasty web page with some really suspect scripts," said James Lyne from the security firm Sophos. |
| "At present we can't get our hands on the end payload, so can't be sure of the attackers complete motive, but it is clear there are still nasty malicious redirects on the eBay site." | "At present we can't get our hands on the end payload, so can't be sure of the attackers complete motive, but it is clear there are still nasty malicious redirects on the eBay site." |
| The problem has affected the site since at least February, the BBC has confirmed - although some experts say it has been an issue for more than a year. | The problem has affected the site since at least February, the BBC has confirmed - although some experts say it has been an issue for more than a year. |
| In a statement, eBay said: "Many of our sellers use active content like Javascript and Flash to make their eBay listings perform better. | In a statement, eBay said: "Many of our sellers use active content like Javascript and Flash to make their eBay listings perform better. |
| "We have no current plans to remove active content from eBay. However, we will continue to review all site features and content in the context of the benefit they bring our customers as well as overall site security." | "We have no current plans to remove active content from eBay. However, we will continue to review all site features and content in the context of the benefit they bring our customers as well as overall site security." |
| 'Not OK' | 'Not OK' |
| The stance has had security professionals queuing up to criticise the site's security practice. | The stance has had security professionals queuing up to criticise the site's security practice. |
| "It's not OK for eBay to have cross-site scripting vulnerabilities on its website," said Mikko Hypponen, from security firm F-Secure. | "It's not OK for eBay to have cross-site scripting vulnerabilities on its website," said Mikko Hypponen, from security firm F-Secure. |
| "If they can't make it work without the risk of exposing users to cross-site scripting, they shouldn't allow it." | "If they can't make it work without the risk of exposing users to cross-site scripting, they shouldn't allow it." |
| Security researcher Brian Honan called for eBay to disable the active content until it could reassure customers. | Security researcher Brian Honan called for eBay to disable the active content until it could reassure customers. |
| "Obviously having Javascript and Flash and all that wonderful stuff is great for the seller," he told the BBC. | "Obviously having Javascript and Flash and all that wonderful stuff is great for the seller," he told the BBC. |
| "But it exposes eBay and its customers to security risks. Until eBay has the ability to automatically identify malicious links, it should disable Javascript until they have some way of better controlling the risk. | "But it exposes eBay and its customers to security risks. Until eBay has the ability to automatically identify malicious links, it should disable Javascript until they have some way of better controlling the risk. |
| "The needs of the many outweigh the needs of the few." | "The needs of the many outweigh the needs of the few." |
| Dr Steven Murdoch, from University College London's Information Security Research Group, added: "Sellers do use active content, but I expect a very large proportion of needs could be fulfilled with some eBay-provided Javascript which has been carefully checked for safety by eBay." | Dr Steven Murdoch, from University College London's Information Security Research Group, added: "Sellers do use active content, but I expect a very large proportion of needs could be fulfilled with some eBay-provided Javascript which has been carefully checked for safety by eBay." |
| 'Congratulations!' | 'Congratulations!' |
| The BBC got in touch with one user whose account had been used to post malicious listings using the XSS vulnerability. | The BBC got in touch with one user whose account had been used to post malicious listings using the XSS vulnerability. |
| Russell Dearlove, from York, told the BBC his account had been "acting strangely". He was temporarily locked out of his account, and listings had been posted by an unknown person. | Russell Dearlove, from York, told the BBC his account had been "acting strangely". He was temporarily locked out of his account, and listings had been posted by an unknown person. |
| "I kept getting messages flashing up on my email saying, 'Congratulations you've sold your iPad'. I didn't have an iPad to sell! | "I kept getting messages flashing up on my email saying, 'Congratulations you've sold your iPad'. I didn't have an iPad to sell! |
| "I emailed eBay to say there's something not quite right here. I got no response but they have sent me a statement saying I owed about £35. | "I emailed eBay to say there's something not quite right here. I got no response but they have sent me a statement saying I owed about £35. |
| "They basically sent me a statement saying, 'This is what you owe for your selling fees.'" | "They basically sent me a statement saying, 'This is what you owe for your selling fees.'" |
| The range of products listed by the scammers has ranged from gadgets and televisions to garden furniture and Adidas clothing. | The range of products listed by the scammers has ranged from gadgets and televisions to garden furniture and Adidas clothing. |
| In response to Mr Dearlove's issue, eBay said: "Account takeovers generally occur as a result of a user disclosing their IDs or password. | In response to Mr Dearlove's issue, eBay said: "Account takeovers generally occur as a result of a user disclosing their IDs or password. |
| "Unfortunately, it is a common practice of criminals to exploit well-known, trusted brand names like eBay to attract consumers and then lure them to a fake website or into other fraudulent situations." | "Unfortunately, it is a common practice of criminals to exploit well-known, trusted brand names like eBay to attract consumers and then lure them to a fake website or into other fraudulent situations." |
| Customer complaints | Customer complaints |
| Since the BBC posted its first story on the issue last week, more than a dozen users have come forward expressing concern about the site's security and process for dealing with customer complaints. | Since the BBC posted its first story on the issue last week, more than a dozen users have come forward expressing concern about the site's security and process for dealing with customer complaints. |
| Many provided chat transcripts with eBay support staff. In one, a user was told to "clear the cache and the cookies" when reporting a malicious link. It later said the issue was being escalated to support staff. | Many provided chat transcripts with eBay support staff. In one, a user was told to "clear the cache and the cookies" when reporting a malicious link. It later said the issue was being escalated to support staff. |
| Joss Wright, a security expert from the Oxford Internet Institute, said in light of the examples, eBay needed to have a serious review of its practices in order to maintain trust. | Joss Wright, a security expert from the Oxford Internet Institute, said in light of the examples, eBay needed to have a serious review of its practices in order to maintain trust. |
| But he said the site faces difficulty in making sure it remains easy for its customers to use while maintaining a high level of security. | But he said the site faces difficulty in making sure it remains easy for its customers to use while maintaining a high level of security. |
| "It's going to be very hard for eBay to secure that without severely hampering their user experience," he said. | "It's going to be very hard for eBay to secure that without severely hampering their user experience," he said. |
| "But I think they need to move their balance a lot further towards security than they currently are." | "But I think they need to move their balance a lot further towards security than they currently are." |
| Have you noticed suspicious behaviour on your eBay account? Or have you received bogus eBay messages which try to extract payment details from you? You can share your experiences by emailing haveyoursay@bbc.co.uk Please provide your contact details if you are happy to speak to a BBC journalist. | Have you noticed suspicious behaviour on your eBay account? Or have you received bogus eBay messages which try to extract payment details from you? You can share your experiences by emailing haveyoursay@bbc.co.uk Please provide your contact details if you are happy to speak to a BBC journalist. |
| Follow Dave Lee on Twitter @DaveLeeBBC |