Hackers used vulnerabilities in Firefox and Internet Explorer to create fake eBay listings and get users to bid on them, news agencies reported Monday.
Analysts say scammers used a cross-site scripting attack to apply unauthorized JavaScript elements stored in third-party Web sites. This resulted in outside e-mail links and other unauthorized codes appearing on eBay pages while evading toolbars designed to detect fraudulent listings. The listings—which appeared on eBay over the weekend—even provided links to e-mail "sellers." These e-mails were sent to an AOL address.
The scam was not a new security threat, says Nichola Sharpe, a spokeswoman for eBay.
"Our online security experts are already aware of this and have identified it as a known bug in Firefox," Sharpe notes. "eBay utilizes sophisticated security technologies to protect our customers against attacks such as this. We continually update our security to deal with emerging threats—and have done so with this threat."
eBay officials say all the fake listings have been taken down but warn that listings on other Web sites that accept content created by users may still be vulnerable.
No estimates were available on how many buyers were fooled into purchasing items from the fake listings.
Internet Explorer says the breach was not a result of weaknesses on its browser.
"Our investigation has shown that it is not vulnerability in Internet Explorer," notes Bill Sisk, Microsoft's manager of Security Response Communications. "In fact, the claim represents a method by which malicious attackers can exploit specific functionality in Web sites to bypass security measures. The nature of these attacks is not new and Web site operators commonly have protections in place to mitigate such attacks."
Firefox—which had almost twice as many weaknesses as Internet Explorer and Safari combined in 2008, according to browser vulnerability research by Secunia—is in the process of correcting its vulnerabilities.
According to Infopackets, a technology news source, scammers targeted Firefox by exploiting the way the browser implements XML binding language, or XBL.
"After the hacker had created an infected CSS (cascade-style sheet) on a third-party site, Firefox was tricked into allowing forbidden codes that led to fraudulent content on the listings," Infopackets reports.
Tracking the fraudulent listings was tough because item numbers changed every time the pages loaded, according to reports. This also made the listings appear to be "live." It took eBay more than 24 hours to remove one of the fake listings.
Auctiva staff writers constantly monitor trends and best practices of those selling on eBay and elsewhere online. They attend relevant training seminars and trade shows and regularly discuss the market with PowerSellers and other market experts.
Other Entries by this Author