There was a time in the early 2000s where the average person was starting to realize that if they wanted something, no matter what it was, they could probably find it somewhere on the Internet. That was due in large part to sites like eBay, though recent news has it offering something different to shoppers.
ZDNet reported that eBay recently patched a security vulnerability that had been leaking the personal details of millions of sellers and buyers through phishing campaigns. Originally found by an independent researcher who goes by the moniker “MLT,” the XSS security flaw allowed any hacker of basic ability to simply paste his or her own login page over the legitimate eBay one. When users went to enter their information, they would be given an error message as the fake page copied their data and redirected them to the actual site.
In a statement to ZDNet, an eBay spokesperson confirmed that they had been in contact with MLT about the flaw, but that crossed wires prevented them from acting on the information until nearly a month had passed since the two parties originally made contact.
“We did indeed receive the researcher’s submission on the 11th of December, and did respond to the initial email address that he submitted the report to on the 12th,” the eBay spokesperson said. “However, he followed up with a different email alias, which resulted in a bit of miscommunication. We have since been in contact with the researcher and have fixed them.”
The optics of the story don’t look great for eBay. A white hat hacker reaches out of his own volition, but his recommendations are lost in the weeds, as what MLT called “a fairly basic vulnerability” continued to allow hackers access to users’ personal information. Now that the mend has been made, it’s time for eBay to take stock of the damage.