The eBay website suffered from a critical XSS vulnerability, which has now been patched, but accusations are flying that the auction giant reacted very slowly to deal with the threat.
In fact, as ZDNet reports, apparently eBay only moved to address the cross-site scripting flaw when the media discovered the issue, and it became a bigger danger in terms of bad publicity.
The security hole involved the eBay.com domain, and was highlighted by a security researcher going by the name of 'MLT', who in a blog post described it as a "fairly basic vulnerability".
The researcher detailed how the flaw could be used by an attacker to inject an iframe containing a fake phishing login page to the eBay site – a visitor would attempt to log in to the malicious page (at eBay.com), and obviously that login would fail, but the attacker could in theory then steal the victim's login details.
And all sorts of nastiness would subsequently follow, obviously enough…
MLT said he contacted eBay about the vulnerability but waited a month with no response, and it was quickly fixed only when the media got in touch concerning the security hole. In his blog post, MLT said he wanted to "highlight how little these companies actually care (until they run the risk of being publicly exposed)".
ZDNet asked eBay for a comment, and the company did indeed acknowledge that it received the researcher's initial message on December 11. It said it responded the next day, but the researcher replied with a different email alias, which "resulted in a bit of miscommunication" and the delay in applying the fix.
Given how serious this problem was, though, you'd have hoped that no matter what "miscommunication" was occurring, eBay would be immediately looking into the reported flaw and seeing there was definitely an issue which required a fast response.
Meanwhile, who knows how many eBay users could have been affected by this.
- Also check out: The Dukes of Hacking attack the West