eBay REFUSE to fix major security vulnerability

eBay has refused to fix a major flaw in its online sales platform that is being used to target Android, iOS and Windows users with malware, according to security firm Check Point.

The company today published details of a “severe vulnerability” it said it had discovered in the platform last December.

The hole allows attackers to bypass eBay’s code validation and control exploit JavaScript code remotely to distribute phishing and malware campaigns on eBay users.

While eBay has a filter in place to stop sellers from doing anything other than adding basic HTML on a page to highlight text, using the so-called JSF**K technique (which is based on the atomic parts of JavaScript) allows attackers to bypass the limitations.

In their online eBay store, attackers can create code that loads an additional JS code from their server, allowing them to inject remotely controllable JavaScript.

Users are then presented with a legitimate page containing the malicious code, the security firm said, which when opened executes code onto the user’s browser or mobile app that allows for a range of nefarious activities such as phishing and binary download.

Check Point said it disclosed the flaw to eBay on December 15 last year, but the company last month informed the firm it had no plans to fix the vulnerability.

The exploit demo is currently still live, Check Point said.

“The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to a very attractive product to execute the attack,” Check Point security research group manaher Oded Vanuna wrote.

“The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user’s account.”

The firm said eBay had informed it that it would not fix the vulnerability as it wanted to keep the active content capability.

“We’re committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure,” eBay said.

Active content in eBay listings were also abused two years ago, with attackers using malicious JavaScript to steal user credentials.

At the time, researchers noted that apart from JavaScript, it was possible to insert malicious Adobe Flash code into listings.