eBay ‘Won’t Fix’ JavaScript Flaw That Exposes Users To Malware, Phishing

eBay has no plans to fix a vulnerability on its auction platform that allows attackers to launch phishing campaigns or spread malware by inserting malicious JavaScript code into an item description.

Security software firm CheckPoint says eBay usually filters out scripts and iFrames from item descriptions or online stores, but only strips alphanumeric characters from these HTML tags.

Security researcher Roman Zakin was able to bypass eBay’s security measures and post a malicious item description using a non-standard technique called ‘JSF**k’ – a binary like method that allows for the creation of code using six non-alphanumeric characters – (,),[,],! and +.

eBay flaw

eBay © Ingvar Bjork, SHutterstock 2014Using this technique, an attacker could summon additional code from a remote server that could trick users into downloading malware or giving away personal information. CheckPoint demonstrated this through the creation of a fake alert inviting users to enter login details and download an application in exchange for a non-existent 25 percent discount.

Since these prompts come from a legitimate eBay page, customers might have little reason to doubt the sincerity of the offer.

“The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to a very attractive product to execute the attack,” said Oded Vanunu, Security Research Group Manager at Check Point. “The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user’s account.”

CheckPoint says it informed eBay of the flaw on 15 December, but on 16 January was told that no patch would be issued because active content was allowed on the site. This prompted the security firm to go public with its findings.

“As we demonstrated to the eBay security team in the [Proof of Concept] we were able to bypass their security policies and insert a malicious code to our seller page without any difficulty or restriction,” said CheckPoint.

“At this point, all we can do is hope that eBay will eventually decide to do something about this vulnerability.”

“As a company, we’re committed to providing a safe and secure marketplace for our millions of customers around the world,” an eBay spokesperson told TechWeekEurope. “We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure.”

Are you a security pro? Try our quiz!

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

Amazon’s First Project Kuiper Satellites Slated For 9 April Launch

Rival for Starlink and OneWeb. United Launch Alliance slated to send 27 Kuiper satellites into…

1 hour ago

Trump’s Tariffs: Implications For Tech Sector

Semiconductor imports are free of Trump's tariff war, but concerns remain over imports of smartphones…

2 hours ago

OpenAI Secures $40 Billion Funding Deal With SoftBank, Others

SoftBank has agreed a funding deal that will see OpenAI being provided with up to…

19 hours ago

Tesla Sales Plummet Amid Elon Musk Backlash

Tesla sales have plummeted to lowest level in three years, as deliveries of new EVs…

20 hours ago

Amazon Launches Nova AI Agent To Perform Browser Actions

New addition. Next generation foundation model, as Amazon Nova model launches to perform actions within…

22 hours ago

Meta AI Head Announces Departure

Head of artificial intelligence research at Meta Platforms has announced she is leaving the social…

1 day ago