The exploit is dubbed "eBayla," a tongue-in-cheek reference to the Ebola virus, although Cervenka's exploit is not a computer virus.
Pursglove compared the security breach to having someone look over your shoulder as you enter a credit card number on a keypad.
"It's the same type of activity, and our way of preventing it is posting on announcement boards that we will never ask for the user's password except under limited circumstances," Pursglove said. "It's also helpful to change your password from time to time."
Furthermore, Pursglove said, eBay will not hold a user accountable for a bid that is entered using a pilfered password.
However, that policy may pose some practical problems for the online auction house, which generally does not allow users to retract bids. But Pursglove said eBay would be able to determine whether a user's bid had been falsified, even if the password had been stolen. He declined to spell out how eBay would verify the user's claim, but said part of that process would involve looking at the user's feedback rating and any history of trying to retract bids.
eBay also will investigate users who create this type of exploit on the service, Pursglove said, and anyone identified as having done it could be barred from the site altogether. eBay would also give their names to law enforcement authorities when appropriate, he added.
The company has not decided whether to take action against Cervenka and his demonstration, Pursglove said.