eBay ‘Won’t Fix’ JavaScript Flaw That Exposes Users To Malware, Phishing

eBay has no plans to fix a vulnerability on its auction platform that allows attackers to launch phishing campaigns or spread malware by inserting malicious JavaScript code into an item description.

Security software firm CheckPoint says eBay usually filters out scripts and iFrames from item descriptions or online stores, but only strips alphanumeric characters from these HTML tags.

Security researcher Roman Zakin was able to bypass eBay’s security measures and post a malicious item description using a non-standard technique called ‘JSF**k’ – a binary like method that allows for the creation of code using six non-alphanumeric characters – (,),[,],! and +.

eBay flaw

Using this technique, an attacker could summon additional code from a remote server that could trick users into downloading malware or giving away personal information. CheckPoint demonstrated this through the creation of a fake alert inviting users to enter login details and download an application in exchange for a non-existent 25 percent discount.

Since these prompts come from a legitimate eBay page, customers might have little reason to doubt the sincerity of the offer.

“The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to a very attractive product to execute the attack,” said Oded Vanunu, Security Research Group Manager at Check Point. “The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user’s account.”

CheckPoint says it informed eBay of the flaw on 15 December, but on 16 January was told that no patch would be issued because active content was allowed on the site. This prompted the security firm to go public with its findings.

“As we demonstrated to the eBay security team in the [Proof of Concept] we were able to bypass their security policies and insert a malicious code to our seller page without any difficulty or restriction,” said CheckPoint.

“At this point, all we can do is hope that eBay will eventually decide to do something about this vulnerability.”

“As a company, we’re committed to providing a safe and secure marketplace for our millions of customers around the world,” an eBay spokesperson told TechWeekEurope. “We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure.”

Are you a security pro? Try our quiz!

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

Microsoft’s Hiring Of Inflection AI Staff Does Not Meet EU Merger Thresholds

European Commission says Microsoft's hiring of Inflection AI's staff will not be investigated under EU…

11 hours ago

Google Urges London Tribunal To Dismiss Mass Lawsuit

Alphabet urges Competition Appeal Tribunal to dismiss mass lawsuit seeking up to £7bn ($9.3bn) for…

11 hours ago

US To Host International Network of AI Safety Institutes In November

The US will host the first meeting of the International Network of AI Safety Institutes,…

12 hours ago

Qualcomm Loses Appeal Over EU Antitrust Fine

EU General Court upholds European Commission €242m antitrust fine against Qualcomm, after it allegedly forced…

14 hours ago

EU Court Rules Google’s €1.49bn Fine Should Be Annulled

Google wins court challenge. Europe's second highest court rules EC's €1.49bn antitrust fine should be…

16 hours ago

Meta Bans Russian State Media Networks

Russian state media networks including RT, Rossiya Segodnya etc banned by Meta Platforms for “foreign…

17 hours ago