Security software firm CheckPoint says eBay usually filters out scripts and iFrames from item descriptions or online stores, but only strips alphanumeric characters from these HTML tags.
Security researcher Roman Zakin was able to bypass eBay’s security measures and post a malicious item description using a non-standard technique called ‘JSF**k’ – a binary like method that allows for the creation of code using six non-alphanumeric characters – (,),[,],! and +.
Using this technique, an attacker could summon additional code from a remote server that could trick users into downloading malware or giving away personal information. CheckPoint demonstrated this through the creation of a fake alert inviting users to enter login details and download an application in exchange for a non-existent 25 percent discount.
Since these prompts come from a legitimate eBay page, customers might have little reason to doubt the sincerity of the offer.
“The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to a very attractive product to execute the attack,” said Oded Vanunu, Security Research Group Manager at Check Point. “The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user’s account.”
CheckPoint says it informed eBay of the flaw on 15 December, but on 16 January was told that no patch would be issued because active content was allowed on the site. This prompted the security firm to go public with its findings.
“As we demonstrated to the eBay security team in the [Proof of Concept] we were able to bypass their security policies and insert a malicious code to our seller page without any difficulty or restriction,” said CheckPoint.
“At this point, all we can do is hope that eBay will eventually decide to do something about this vulnerability.”
“As a company, we’re committed to providing a safe and secure marketplace for our millions of customers around the world,” an eBay spokesperson told TechWeekEurope. “We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure.”
Are you a security pro? Try our quiz!