Categories: SecurityVirus

EBay Changes Mind And (Partially) Fixes Site Security Flaw

Auction site eBay has performed an about-turn and fixed a potential damaging vulnerability affecting its website.

However, the company has only partially fixed the JavaScript flaw, revealed a few days ago, which could have put users at risk of downloading malware.

Today’s news comes after eBay had previously said it had no plans to perform any repairs on its site, despite the vulnerability first being revealed by security researchers CheckPoint back in December.

Overbid

The flaw, which exploited gaps in the website’s listing system, could have allowed hackers to insert malicious JavaScript code into an item description on the site.

This could have given cybercriminals an easy way to target users, either by sending a link to a very attractive product that would link to a download for malware, or by executing phishing scams purporting to come from eBay itself, offering new deals or special items.

Following CheckPoint’s reveal of its findings earlier this week, eBay says it has implemented various security filters based on Check Point’s findings, noting that it took security “very seriously”, but had yet to identify any fraudulent activity stemming from this incident.

“While not fully patched, given that we allow active content on our marketplace, it’s important to understand that malicious content on our marketplace is extraordinarily uncommon, which we estimate to be less than two listings per million that use active content on the eBay marketplace,” eBay told the BBC.

“This vulnerability allows attackers to bypass eBay’s code validation and control the vulnerable code remotely to execute malicious Java script on targeted eBay users,” said Check Point research manager Oded Vanunu.

“If this flaw is left unpatched, eBay’s customers will continue to be exposed to potential phishing attacks and data theft.”

Are you a security pro? Try our quiz!

Mike Moore

Michael Moore joined TechWeek Europe in January 2014 as a trainee before graduating to Reporter later that year. He covers a wide range of topics, including but not limited to mobile devices, wearable tech, the Internet of Things, and financial technology.

Recent Posts

Microsoft Executive Indicates Departmental Hiring Slowdown

Amid concern at the state of the global economy, a senior Microsoft executive tells staff…

1 day ago

Shareholders Sue Twitter, Elon Musk For Stock ‘Manipulation’

Disgruntled shareholders are now suing both Twitter and Elon Musk, over volatile share price swings…

1 day ago

Google Faces Second UK Probe Over Ad Practices

UK's competition watchdog launches second investigation of Google's ad tech practices, and whether it may…

1 day ago

Elon Musk Raises His Contribution To Twitter Acquisition

But one of Elon Musk's biggest backers on the Twitter board has tendered his resignation…

2 days ago

Broadcom Confirms VMware Acquisition For $61 Billion

Entry into cloud infrastructure software for US chip firm Broadcom after it confirms reports it…

2 days ago