EBay plans thousands of job cuts
eBay users looking for iPhone listings risked being redirected to a malicious third-party site.

EBay has suffered a security breach, whereby users looking for iPhone listings risked having their account details stolen.

A cross-site scripting (XSS) flaw was exploited by a hacker who was able to redirect certain auction pages to a third-party phishing page that resembled the eBay homepage.

The spoof eBay webpage then asked users to enter their username and password.

iphone 6 ebay
An iPhone eBay listing that was compromised (top). eBay

The flaw was first noticed on Wednesday by Paul Kerr, an eBay seller and IT worker, however no action was taken by the auction site until they were contacted by the BBC.

EBay claims that it has since removed one listing, though there appears to be several similar listings on the site.

"This report relates only to a 'single item listing' on eBay.co.uk whereby the user included a link which redirects users away from the listing page," an eBay spokesperson said.

"We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links."

Web users wishing to check the safety of websites can check the XSS database XSSposed for a list of websites at risk.

eBay attacks

Earlier this year eBay was the victim of a massive security breach that left millions of users vulnerable to having their personal details stolen.

Usernames, passwords, email addresses, phone numbers, physical addresses and dates of birth were all stolen in the cyberattack, which took place in late February.

Following the attack, eBay urged all users to change their passwords due to fears that all 233 million users of the auction site were affected.

Regulators in the UK, US and Europe subsequently opened investigations into eBay to better understand the data breach.

"We have relationships with and proactively contacted a number of state, federal, and international regulators and law enforcement agencies," an eBay spokesperson said at the time. "We are fully cooperating with them."