CYBER NEWS

eBay Will Not Patch a Severe Security Flaw, Phishing Attacks Possible

A serious vulnerability in eBay’s sales platform has been just exposed by security researches at Check Point. The vulnerability enables attackers to bypass eBay’s code validation. As a result, attackers can control the code remotely and execute malicious JavaScript code on eBay users. The longer the vulnerability is left unpatched, the more likely it is for eBay users to become victims of phishing attacks and data theft.

More to Read: PayPal Fixed a Remote Code Execution Bug

Unfortunately, eBay has done nothing to fix this serious security flaw. Check Point contacted eBay on Dec 15, 2015. A couple of week later, eBay replied them that they didn’t plan to fix the flaw. It’s only natural to wonder why.

The eBay Vulnerability in Detail

The researcher who has discovered the flaw is Roman Zaikin. He disclosed that the flaw enables attackers to execute malicious code on various devices via a not-so-typical technique known as ‘JSF**’. The technique gives malicious actors the opportunity to use eBay as a phishing site and a malware distribution platform.

JSFk-script-checkpoint-stforum
This is how the JSF** script looks like. Source: Check Point

To initiate an attack, the attacker only needs to create an online eBay store. There, he can simply post a malicious description of an item. Even though eBay is designed to prevent users from using scripts or iFrames, by using the JSF**k technique, the attackers is enabled to write a code that loads an additional JS code from his server. As a result, the attacker can insert JavaScript and control it remotely. He can also alter the JS code to create various payloads.

This is what Oded Vanunu, Security Research Group Manager at Check Point, has said:

The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to a very attractive product to execute the attack. The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user’s account.

In response to the vulnerability disclosure, eBay has stated that they haven’t found any fraudulent activity based on the flaw. In addition, an eBay’s spokesperson has also said that various security filters have been implemented. No more details on eBay’s fixes were provided.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...