According to BBC, the EBay security flaw has exposed its customers to malicious websites since at least February.
Earlier in the week, BBC revealed how clicking on some listings on the EBay site automatically redirected users to other sites that are harmful.
EBay brought down several posts and claimed it was an isolated incident. But BBC has found multiple listings from quite a number of users exploiting the same vulnerability. And several readers have also contacted BBC with detailed complaints they had made to EBay.
EBay said in a statement that they have dedicated a team of experts working on its security issues but criminals “intentionally adapt their code and tactics to try to stay ahead of their most sophisticated security systems”
As early as February this year, a transcript showed Paul Castle explaining the issue to EBay support staff.
“I was just browsing in Digital Cameras and came across a password-harvesting scam,” said Mr. Castle in writing during the online chat with EBay support staff.
He said that clicking on the listing link transfers immediately to a password harvest scam page. Other users also got in touch with BBC to outline how they too had found listings that when clicked on behaved in the same way.
Castle said that this is a big security problem for EBay users since there could be hundreds of such listings.
The EBay search function allows users to find only completed auctions that are less than 15 days old. However, a search by BBC revealed 64 listings from the past 15 days that pose a danger to users.
Security experts have criticized EBay for not responding to the vulnerability quickly enough. They say that even though some listings were removed after being reported, the underlying issue has yet to be fixed.
Dr Steven Murdoch of the University College London’s Information Security Research Group says EBay should have looked for all the other links which exploited the same vulnerability and removed these too as a matter of priority, they also aught to have closed off the vulnerability from future attackers.