Casa > cibernético Notícias > eBay Will Not Patch a Severe Security Flaw, Ataques de phishing Possível
CYBER NEWS

eBay Não patch uma grave falha de segurança, Ataques de phishing Possível

A vulnerabilidade séria na plataforma de vendas do eBay acaba de ser exposto por pesquisas de segurança da Check Point. A vulnerabilidade permite que atacantes para validação de código de bypass do eBay. Como um resultado, attackers can control the code remotely and execute malicious JavaScript code on eBay users. The longer the vulnerability is left unpatched, the more likely it is for eBay users to become victims of phishing attacks and data theft.

Mais para ler: PayPal Fixed a Remote Code Execution Bug

Infelizmente, eBay has done nothing to fix this serious security flaw. Check Point contacted eBay on Dec 15, 2015. A couple of week later, eBay replied them that they didn’t plan to fix the flaw. It’s only natural to wonder why.

The eBay Vulnerability in Detail

The researcher who has discovered the flaw is Roman Zaikin. He disclosed that the flaw enables attackers to execute malicious code on various devices via a not-so-typical technique known as ‘JSF**’. The technique gives malicious actors the opportunity to use eBay as a phishing site and a malware distribution platform.

JSFk-script-checkpoint-stforum
This is how the JSF** script looks like. Fonte: Check Point

To initiate an attack, the attacker only needs to create an online eBay store. Lá, he can simply post a malicious description of an item. Even though eBay is designed to prevent users from using scripts or iFrames, by using the JSF**k technique, the attackers is enabled to write a code that loads an additional JS code from his server. Como um resultado, the attacker can insert JavaScript and control it remotely. He can also alter the JS code to create various payloads.

This is what Oded Vanunu, Security Research Group Manager at Check Point, disse:

The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to a very attractive product to execute the attack. The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user’s account.

In response to the vulnerability disclosure, eBay has stated that they haven’t found any fraudulent activity based on the flaw. além do que, além do mais, an eBay’s spokesperson has also said that various security filters have been implemented. No more details on eBay’s fixes were provided.

Milena Dimitrova

Milena Dimitrova

Um escritor inspirado e gerente de conteúdo que está com SensorsTechForum desde o início do projeto. Um profissional com 10+ anos de experiência na criação de conteúdo envolvente. Focada na privacidade do usuário e desenvolvimento de malware, ela acredita fortemente em um mundo onde a segurança cibernética desempenha um papel central. Se o senso comum não faz sentido, ela vai estar lá para tomar notas. Essas notas podem mais tarde se transformar em artigos! Siga Milena @Milenyim

mais Posts

Me siga:
Twitter

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

Compartilhar no Facebook Compartilhar
Carregando...
Compartilhar no Twitter chilrear
Carregando...
Compartilhar no Google Plus Compartilhar
Carregando...
Partilhar no Linkedin Compartilhar
Carregando...
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Carregando...
Partilhar no StumbleUpon Compartilhar
Carregando...