Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

eBay Flaw Exposes Users to Malware, Phishing Attacks

Security firm Check Point reported on Tuesday that it identified a serious vulnerability in eBay that can be exploited for malware and phishing attacks, but the e-commerce giant believes the risk is low.

Security firm Check Point reported on Tuesday that it identified a serious vulnerability in eBay that can be exploited for malware and phishing attacks, but the e-commerce giant believes the risk is low.

The input validation issue affects the “item description” field of eBay stores. Researchers discovered that because only certain characters are stipped by eBay from script tags, an attacker can insert code designed to call a malicious JavaScript file from a remote server.

According to Check Point, an attacker can set up an online eBay store and add malicious code to the item description section. They can then attempt to trick users into visiting the page containing the malicious code by sending them a link to their eBay store.

As demonstrated in a couple of videos published by the security firm, malicious actors can use a technique called “JSFuck” to trick users into downloading malware or get them to hand over their credentials and other information on a phishing page displayed on top of the legitimate eBay site. The vulnerability can be exploited on the eBay website and the company’s iOS and Android mobile apps.

The vulnerability was reported to eBay on December 15, but a full patch has not been released because eBay believes the risk of malicious attacks is low.

eBay doesn’t completely filter HTML code from stores because it wants to allow sellers to use active content on its marketplace. The company has cross-site scripting (XSS) filters in place to prevent abuse, but Check Point researchers found that the characters allowed by the filter are enough for an attacker to execute potentially malicious code.

By using the JSFuck technique, an attacker can insert a remote JavaScript file into an item’s description using a combination of only six non-alphanumerical characters, namely [ ] ( ) ! and +.

Advertisement. Scroll to continue reading.

While it hasn’t fully patched the issue, eBay says it has implemented various security filters based on Check Point’s findings. The company has pointed out that malicious content is highly uncommon on its marketplace and estimates that less than two in a million listings use active content.

In a 2014 blog post describing how it combats XSS attacks, eBay said it uses various technologies, including a multilevel system for detecting malicious code, and mechanisms that prevent sellers from using certain types of active content in their item descriptions. The company claimed to remove listings containing malicious content within one hour of detection.

“eBay is committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure. We have not found any fraudulent activity stemming from this incident,” eBay told SecurityWeek in an emailed statement.

Related: XSS Flaw Exposed eBay Users to Phishing Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.