Security firm Check Point reported on Tuesday that it identified a serious vulnerability in eBay that can be exploited for malware and phishing attacks, but the e-commerce giant believes the risk is low.
The input validation issue affects the “item description” field of eBay stores. Researchers discovered that because only certain characters are stipped by eBay from script tags, an attacker can insert code designed to call a malicious JavaScript file from a remote server.
According to Check Point, an attacker can set up an online eBay store and add malicious code to the item description section. They can then attempt to trick users into visiting the page containing the malicious code by sending them a link to their eBay store.
As demonstrated in a couple of videos published by the security firm, malicious actors can use a technique called “JSFuck” to trick users into downloading malware or get them to hand over their credentials and other information on a phishing page displayed on top of the legitimate eBay site. The vulnerability can be exploited on the eBay website and the company’s iOS and Android mobile apps.
The vulnerability was reported to eBay on December 15, but a full patch has not been released because eBay believes the risk of malicious attacks is low.
eBay doesn’t completely filter HTML code from stores because it wants to allow sellers to use active content on its marketplace. The company has cross-site scripting (XSS) filters in place to prevent abuse, but Check Point researchers found that the characters allowed by the filter are enough for an attacker to execute potentially malicious code.
By using the JSFuck technique, an attacker can insert a remote JavaScript file into an item’s description using a combination of only six non-alphanumerical characters, namely [ ] ( ) ! and +.
While it hasn’t fully patched the issue, eBay says it has implemented various security filters based on Check Point’s findings. The company has pointed out that malicious content is highly uncommon on its marketplace and estimates that less than two in a million listings use active content.
In a 2014 blog post describing how it combats XSS attacks, eBay said it uses various technologies, including a multilevel system for detecting malicious code, and mechanisms that prevent sellers from using certain types of active content in their item descriptions. The company claimed to remove listings containing malicious content within one hour of detection.
“eBay is committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure. We have not found any fraudulent activity stemming from this incident,” eBay told SecurityWeek in an emailed statement.
