More to Read: PayPal Fixed a Remote Code Execution Bug
Unfortunately, eBay has done nothing to fix this serious security flaw. Check Point contacted eBay on Dec 15, 2015. A couple of week later, eBay replied them that they didn’t plan to fix the flaw. It’s only natural to wonder why.
The eBay Vulnerability in Detail
The researcher who has discovered the flaw is Roman Zaikin. He disclosed that the flaw enables attackers to execute malicious code on various devices via a not-so-typical technique known as ‘JSF**’. The technique gives malicious actors the opportunity to use eBay as a phishing site and a malware distribution platform.
This is how the JSF** script looks like. Source: Check Point
This is what Oded Vanunu, Security Research Group Manager at Check Point, has said:
The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to a very attractive product to execute the attack. The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user’s account.
In response to the vulnerability disclosure, eBay has stated that they haven’t found any fraudulent activity based on the flaw. In addition, an eBay’s spokesperson has also said that various security filters have been implemented. No more details on eBay’s fixes were provided.