Online auction and shopping website eBay is under fire after refusing to fix a severe security vulnerability that enables cybercriminals to target its users and distribute phishing and malware campaigns.
Security researchers from Check Point have discovered that it is possible for attackers to bypass eBay's code validation process and instead control the vulnerable code remotely, using it to execute malicious Java Script.
All the attacker has to do is create an online eBay store and post an item for sale, injecting malicious code into its description page. Usually eBay prevents users from adding scripts or iFrames to auction and 'Buy It Now' pages, but by using a technique called JSF**k, it is possible to create a code that can get around eBay's form verification and accept a Java Script code from an external server, so the attacker can remotely execute different types of malicious code.
The code is able to trick eBay users into visiting a legitimate eBay page that contains the malicious code. As the video above shows, once the page loads on to the eBay user's computer or device, the code can then cause a fake pop-up to load on the page masquerading as an official eBay offer, asking the user to either sign into their account again to gain their credentials in a phishing attack, or to download malware masquerading as a new eBay app.
Check Point says that its researchers discovered the vulnerability in December 2015 and disclosed the details to eBay, but on 16 January, eBay responded that they have no intention of fixing the vulnerability, so the researchers decided to publicise their findings.
"The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to a very attractive product to execute the attack. The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user's account," Oded Vanunu, security research group manager at Check Point, wrote in a blog post.
A spokesperson for eBay told IBTimes UK: "We have been in contact with the researcher and we have implemented various security filters based on his findings to detect this exploit. Since we allow active content on our site, it's important to understand that malicious content on our marketplace is extraordinarily uncommon, which we estimate to be less than two listings per million that use active content on the eBay marketplace.
"eBay is committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure. We have not found any fraudulent activity stemming from this incident."
UPDATE [10.26am GMT, 4 February]: This article has been updated to include eBay's response.