It’s not uncommon to hear of software vulnerabilites at major online services, what people really want to see how the companies that run those services react to such a situation and how quickly they’re able to patch things up. Reports suggest that even though eBay was privately notified of a serious security vulnerability it didn’t act on the information until the matter got the attention of the media.
Apparently it was a severe XSS security vulnerability that left millions of its users exposed to potential phishing attacks that could have subsequently led to data theft.
The XSS flaw was reportedly left unpatched on the main ebay.com domain even though the company was privately notified of the vulnerability, only when it came under media spotlight that eBay patched up the vulnerability.
It was discovered by an independent security researcher who explained that this was a fairly simple vulnerability which would have allowed the attacker to use iframe to insert their own malicious page into eBay. The researcher did use this vulnerability to show proof that a malicious login page could be made to look like the legitimate eBay login page.
Attackers can easily steal usernames and passwords this way, since many people have a habit of using the same username and password across the internet, it could have resulted in more data loss for millions of people. The researcher said that he waited for eBay to respond to the private submission for a month but it only decided to fix it when the media contacted eBay about this vulnerability. It has now been patched for good.