Online auction house eBay has once again come under fire for its slow response to a reported hack that drove its buyers to a phony "Welcome" page that gathered users' credentials.
News of the hack came from the BBC, which reports that eBay knew about the diversion last night but only took the phony intro page down 12 hours after it was alerted by the UK news agency. A security expert consulted by the BBC identified the hack as a cross-scripting (XSS) attack, a common technique used to break into secure websites.
In the case of eBay, the attack inserted malicious code into product listing pages so users were redirected through a series of websites to a page that asked them to provide their eBay login and password.
EBay is reportedly downplaying the attack, insisting that a single listing introduced the malicious code. But the BBC identified three listings by the same malware account. The company would not say if any users' identities were stolen, only commenting that the listing was a violation of its rules against “third-party links.”
San Jose, Calif.-based eBay has had its share of security difficulties recently.
In May, its database of user passwords was compromised, forcing the company to send out a blanket email asking users to change their passwords. In July, hackers broke into its StubHub ticket resale site and defrauded the service of about $1 million, resulting in the arrest of three London hackers who were part of a global cyber crime ring.