eBay Draws Criticism For Allowing Hacking
Innocent user accounts are hacked and eBay responds by sending honest account holder an invoice for a hacker's selling fees
eBay Inc ( NASDAQ:EBAY), among the world's largest electronic market places, is coming under attack for allowing apparent rule-abiding user accounts to be hacked by malicious fraudsters - and then in some cases is holding the victim of the hack responsible for the fraudster's selling fees.
A recent BBC study found that Innocent user accounts were hacked so as to place fake listings on eBay Inc ( NASDAQ:EBAY). Many of the targeted accounts had 100% positive feedback, and had sold hundreds of items. When one victim had his account hacked and he was locked out, when he contacted eBay about the problem they apparently didn't solve the problem but rather invoiced the hacking victim £35, or $57 dollars, for selling fees the hackers ran up.
'I emailed eBay to say there's something not quite right here,' Russell Dearlove of the UK was quoted in the report saying. 'I got no response but they have sent me a statement saying I owed about £35.'
After an eBay account was hacked, the hackers put up a specifically designed web page that contained malicious computer code. As customers clicked on a compromised listing, they were brought to a sophisticated, official-looking site that asked victims to log in and share bank account details, and the fraud proceeded from that point.
The focus of the technical vulnerability is the hacker's ability to place custom Javascript and Flash content into their listings pages. While these can make sellers pages more attractive, it also opens up users to a hacking technique known as cross-site scripting (XSS).
'It's not OK for eBay to have cross-site scripting vulnerabilities on its website,' said Mikko Hypponen, from security firm F-Secure. 'If they can't make it work without the risk of exposing users to cross-site scripting, they shouldn't allow it.'
Security researcher Brian Honan called for eBay to disable the active content until it could reassure customers. 'Obviously having Javascript and Flash and all that wonderful stuff is great for the seller,' he told the BBC.
For its part eBay Inc ( NASDAQ:EBAY) was resolute. While apparently not addressing the users who had been hacked, they maintained their computer code allowances that enable the hacking. 'Many of our sellers use active content like Javascript and Flash to make their eBay listings perform better,' eBay said in a statement. 'We have no current plans to remove active content from eBay. However, we will continue to review all site features and content in the context of the benefit they bring our customers as well as overall site security.'
Post a Comment for "eBay Draws Criticism For Allowing Hacking"