Ebay has come under fire from security researchers after apparently choosing to ignore a vulnerability in its website, which has resulted in customer details being stolen.
Forbes reports that it is the latest in a number of serious cybersecurity problems at the company this year, following a database hack in May and the theft of details from its StubHub ticket site customers only a few months ago.
This time, cybercriminals are exploiting the highly visual JavaScript and Flash content included in its listings, which sellers use to make their pages look more exciting, with videos or other eye-catching techniques.
As Forbes highlights, the company was believed to have been aware that hackers were manipulating the code for malicious content, putting a large number of its customers at risk, but chose to do little about it.
Graham Cluley, an independent security analyst who runs a blog on the subject, told The Drum that the flaw allowed advertisers to direct users to third-party sites that could “pretend to be eBay”, where customers could unwittingly hand over their payment details – known as cross-site scripting (XSS).
At least 100 exploited listings have been highlighted by the BBC, which reports that the problems continue even though eBay may have been aware of them since February.
The online marketplace said that it would “continue to review all site features and content”. An eBay spokesperson told The Drum, however, that the issue of cross-site scripting is something that affects many sites across the internet and is not a vulnerability unique to the eBay website.