eBay has no plans to fix a vulnerability on its auction platform that allows attackers to launch phishing campaigns or spread malware by inserting malicious JavaScript code into an item description.
Security software firm CheckPoint says eBay usually filters out scripts and iFrames from item descriptions or online stores, but only strips alphanumeric characters from these HTML tags.
Security researcher Roman Zakin was able to bypass eBay’s security measures and post a malicious item description using a non-standard technique called ‘JSF**k’ – a binary like method that allows for the creation of code using six non-alphanumeric characters – (,),[,],! and +.
Since these prompts come from a legitimate eBay page, customers might have little reason to doubt the sincerity of the offer.
“The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to a very attractive product to execute the attack,” said Oded Vanunu, Security Research Group Manager at Check Point. “The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user’s account.”
CheckPoint says it informed eBay of the flaw on 15 December, but on 16 January was told that no patch would be issued because active content was allowed on the site. This prompted the security firm to go public with its findings.
“As we demonstrated to the eBay security team in the [Proof of Concept] we were able to bypass their security policies and insert a malicious code to our seller page without any difficulty or restriction,” said CheckPoint.
“At this point, all we can do is hope that eBay will eventually decide to do something about this vulnerability.”
“As a company, we’re committed to providing a safe and secure marketplace for our millions of customers around the world,” an eBay spokesperson told TechWeekEurope. “We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure.”
Are you a security pro? Try our quiz!
European Commission says Microsoft's hiring of Inflection AI's staff will not be investigated under EU…
Alphabet urges Competition Appeal Tribunal to dismiss mass lawsuit seeking up to £7bn ($9.3bn) for…
The US will host the first meeting of the International Network of AI Safety Institutes,…
EU General Court upholds European Commission €242m antitrust fine against Qualcomm, after it allegedly forced…
Google wins court challenge. Europe's second highest court rules EC's €1.49bn antitrust fine should be…
Russian state media networks including RT, Rossiya Segodnya etc banned by Meta Platforms for “foreign…