A security researcher reported a vulnerability to eBay in June, according to the Kaspersky Labs news publication ThreatPost.
The researcher, Aditya Sood, told ThreatPost eBay fixed the bug in August.
“There was a cross-site scripting vulnerability in an eBay domain that could have allowed an attacker to steal users’ session cookies and take over their accounts,” it wrote. “The vulnerability existed on an eBay subdomain, svcs.ebay.com, and Sood said it specifically was in the SMS gateway on the page.”
Earlier this year, Sood had reported another security vulnerability – ThreatPost said he had found a file upload and a patch disclosure vulnerability on an eBay site in March.
Last fall, the BBC reported extensively on cross-site scripting (XSS) vulnerabilities on eBay UK thanks to its policy that allows the use of active content on its marketplace, including Java Script, Flash, links, videos and pictures. At the time, eBay’s Vice President of Global Managed Marketplace published a notice on the eBay UK announcement board, stating, “After a recent review of our processes and policies, we believe the benefits of allowing active content to our customers outweigh the extremely low likelihood of being exposed to them.”
