EBay Redirect Attack Puts Buyers' Credentials At Risk
EBay has been compromised so that people who clicked on some of its links were automatically diverted to a site designed to steal their credentials.
The spoof site had been set up to look like the online marketplace's welcome page.
The US firm was alerted to the hack on Wednesday night but removed the listings only after a follow-up call from the BBC more than 12 hours later.
One security expert said he was surprised by the length of time taken.
“EBay is a large company and it should have a 24/7 response team to deal with this – and this case is unambiguously bad,” said Dr Steven Murdoch from University College London's Information Security Research Group.
The security researcher was able to analyse the listing involved before eBay removed it.
He said that the technique used was known as a cross-site scripting (XSS) attack.
Users only had to click the original listing to have their browser hijacked.
“The websites the user is being redirected to are almost certainly compromised by the attacker to hide his or her traces,” Dr Murdoch explained.