Scripts in eBay Postings May Enable Phishing Attacks
Original release date: April 27, 2006
Last revised: --
Source: US-CERT
Systems Affected
The eBay web site may contain pages that affect various web browsers.
Overview
A vulnerability in the eBay web site may allow an attacker to steal
personal information from eBay customers.
Solution
Verify the legitimacy of eBay web pages
Attackers may use the vulnerability to perform a phishing
attack. Make sure that the URL is accurate, and check the web site
certificate to make sure that you are visiting an authentic eBay
web page.
Description
eBay allows users to incorporate a type of code, also known as scripting, into
the auction descriptions on its web site. An attacker can
use this code to modify pages on eBay's web site or redirect you to a
malicious web page.
These may appear to be legitimate eBay web pages that request personal information.
Using these techniques, an
attacker may be able to collect your passwords, credit card numbers,
or other personal information.
Please see US-CERT Vulnerability note VU#808921 for details and additional workarounds.
References
Feedback can be directed to the US-CERT Technical Staff.
Produced 2006 by US-CERT, a government organization. Terms of use
Revision History
April 27, 2006: Initial release