eBay ‘Won’t Fix’ JavaScript Flaw That Exposes Users To Malware, Phishing

eBay has no plans to fix a vulnerability on its auction platform that allows attackers to launch phishing campaigns or spread malware by inserting malicious JavaScript code into an item description.

Security software firm CheckPoint says eBay usually filters out scripts and iFrames from item descriptions or online stores, but only strips alphanumeric characters from these HTML tags.

Security researcher Roman Zakin was able to bypass eBay’s security measures and post a malicious item description using a non-standard technique called ‘JSF**k’ – a binary like method that allows for the creation of code using six non-alphanumeric characters – (,),[,],! and +.

eBay flaw

Using this technique, an attacker could summon additional code from a remote server that could trick users into downloading malware or giving away personal information. CheckPoint demonstrated this through the creation of a fake alert inviting users to enter login details and download an application in exchange for a non-existent 25 percent discount.

Since these prompts come from a legitimate eBay page, customers might have little reason to doubt the sincerity of the offer.

“The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to a very attractive product to execute the attack,” said Oded Vanunu, Security Research Group Manager at Check Point. “The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user’s account.”

CheckPoint says it informed eBay of the flaw on 15 December, but on 16 January was told that no patch would be issued because active content was allowed on the site. This prompted the security firm to go public with its findings.

“As we demonstrated to the eBay security team in the [Proof of Concept] we were able to bypass their security policies and insert a malicious code to our seller page without any difficulty or restriction,” said CheckPoint.

“At this point, all we can do is hope that eBay will eventually decide to do something about this vulnerability.”

“As a company, we’re committed to providing a safe and secure marketplace for our millions of customers around the world,” an eBay spokesperson told TechWeekEurope. “We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure.”

Are you a security pro? Try our quiz!

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

13 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

14 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

15 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

16 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

19 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

20 hours ago