Attackers can bypass controls to distribute malware.
eBay has refused to fix a major flaw in its online sales platform that is being used to target Android, iOS and Windows users with malware, according to security firm Check Point.
The company today published details of a “severe vulnerability” it said it had discovered in the platform last December.
Users are then presented with a legitimate page containing the malicious code, the security firm said, which when opened executes code onto the user’s browser or mobile app that allows for a range of nefarious activities such as phishing and binary download.
Check Point said it disclosed the flaw to eBay on December 15 last year, but the company last month informed the firm it had no plans to fix the vulnerability.
The exploit demo is currently still live, Check Point said.
“The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to a very attractive product to execute the attack,” Check Point security research group manaher Oded Vanuna wrote.
“The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user’s account.”
The firm said eBay had informed it that it would not fix the vulnerability as it wanted to keep the active content capability.
“We’re committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure,” eBay said.
Credit and source: http://www.itnews.com.au/