Hackers Target EBay Users With Fake IPhone Listings

Hackers have reportedly exploited a weakness in eBay’s site that enabled them to redirect customers to pages that steal login information. 

The BBC reports that several listings for iPhones for sale on eBay contained JavaScript code that changes the way the site acts. When users clicked on the listings, the code forced their web browser to redirect to a fake version of eBay that asked for their email address and password.

It’s claimed that eBay only removed the hacked listings after the BBC contacted the company, and that customers had been vulnerable for at least 12 hours.

Speaking to the BBC, IT worker Paul Kerr explained that eBay hadn’t removed the compromised listings: 

When I spoke to the lassie on the phone, she said: ‘I’m going to report that to the highest level of security to get it looked into.’ And she did emphasise that. They should have nailed that straight away, and they didn’t.

A video was created to show eBay exactly how the hack worked: 

In a statement to the BBC, eBay assured customers that they were unlikely to have been affected by the hack, remarking “This report relates only to a ‘single item listing’ on eBay.co.uk whereby the user has included a link which redirects users away from the listing page. We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links.”

Yesterday Amazon was revealed to be vulnerable to the same kind of attack after a security researcher uncovered a vulnerability that left Kindle libraries vulnerable. Hackers were able to include JavaScript in the metadata of eBooks that could trigger pop-up windows and page redirects. That exploit has since been fixed.

Business Insider Emails & Alerts

Site highlights each day to your inbox.

Follow Business Insider Australia on Facebook, Twitter, LinkedIn, and Instagram.