All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links.
On Monday, a Canadian consultant said he will detail a security problem that would allow a malicious eBay user to snag the usernames and passwords of other users of the online auction house.
The problem, dubbed "eBayla" by Tom Cervenka, who discovered the bug, surfaces when an eBay member using a JavaScript-enabled browser bids on an "infected" item.
The rogue script on the item page then e-mails the victim's eBay username and password to the malicious user before the information is sent to eBay.
"I was pretty surprised to see that they don't seem to be doing any HTML filtering at all," said Cervenka.
Cervenka, a computer consultant, said that he first informed eBay and posted information about the problem on his Web site on 31 March. As of Monday, he said he had received only a form letter in return, and no detailed correspondence from the company concerning the exploit.
EBay's senior director of corporate communications characterized the hole as an "occasional byproduct" of the service's user-focused design.
"This is a possibility that exists because of the open environment that we create for people who want to list items and use HTML in the way we devised it -- to be as accurate and as descriptive as you possibly can," said Kevin Pursglove.
Cervenka said the problem arises from the manner in which eBay presents its Web auctions.
When a seller posts an item for auction on eBay, she writes a description of the item in HTML. But the form field will also accept JavaScript.
A few lines of code can modify the auction page so that when an eBay user bids on the item -- submitting the form to eBay with the bid amount and the user's account information -- the bidder's eBay username and password will first be e-mailed to the malicious user.
Once the username and password have been compromised, the form is submitted normally, with eBay and the victim none the wiser.
Cervenka has posted a demonstration of the exploit as a live auction on eBay. He also posted sample source code on his Web site that demonstrates the exploit.
Once the malicious user obtains this eBay account information, he can use it to post new auctions and place and retract bids under the victim's username. He can also change the victim's password and perform any other eBay operation that a legitimate user would normally be able to do.
"It sounds like an easy enough [exploit] to take care of," said Ted Julian, a security analyst with Forrester Research.
"For eBay to [filter] JavaScript shouldn't be a big deal, but they'll probably need something more sophisticated as a long-term solution."
For his part, Cervenka was shocked to find that JavaScript is allowed in eBay Item Description forms when plain HTML would suffice.
Pursglove downplayed the severity of the exploit.
"If somebody had indeed used your password as well as your username and started bidding on a bunch of items, you'd be the first person to be contacted by eBay through e-mail, and we'd be able to backtrack on that to make sure that we could take care of that situation."
Julian said that such bugs are par for the course in the e-commerce world.
"These new and also rapid types of relationships -- such as online auctions, where the rules and protocols associated with those relationships are being written as we go along -- are a recipe for these kinds of incidents."
With 2.2 million registered users and 1.8 million items up for auction, eBay is the largest online auction clearinghouse.
