XSS Scripting or cross site Phishing has been going on at eBay for a number of years says Ebayisajoke, where someone creates a fake domain (website) and uses a duplicate eBay login page to trick users into thinking they need to re-log in again at eBay. Ebay allows a logged in user to revise, edit their listed products, product description also allows HTML with restrictions to scripts and other unwanted tags. This filter is vulnerable and could be bypassed easily. This is a Phishing script for your private data such as your username, and password, which would allow the Phisher to steal your information and list fraudulent items under your name, and eBay Inc has not been able to fix this problem on their site since 2006.
Some of the vulnerability effects:
1) User cookies could be retrieved and misused.
2) Users could be redirected to fake login pages where passwords could be stolen
3) The possibility of an XSS worm would be there.
4) Unwanted transactions could be done in context of logged in user.
eBay Inc touts how secure they are by protecting its users and how seller sitewide purges protect the community however they have been unsuccessful when it comes to stripping out abusive XSS Scripting code from their auctions or from anywhere else on their web site. Below is the original forum post of a seller that was Phished just recently so before eBay deletes it or password protects the thread I have placed it below. Homeland security put out a notification about this in 2006 about eBay’s cross site scripting vulnerabilities VU#808921. eBay Inc has not yet made a public response to this issue, but then again they don’t respond to anything because they operate under a “Hide and cover up” policy.