Security firm Check Point reported on Tuesday that it identified a serious vulnerability in eBay that can be exploited for malware and phishing attacks, but the e-commerce giant believes the risk is low.
The input validation issue affects the “item description” field of eBay stores. Researchers discovered that because only certain characters are stipped by eBay from script tags, an attacker can insert code designed to call a malicious JavaScript file from a remote server.
According to Check Point, an attacker can set up an online eBay store and add malicious code to the item description section. They can then attempt to trick users into visiting the page containing the malicious code by sending them a link to their eBay store.
As demonstrated in a couple of videos published by the security firm, malicious actors can use a technique called “JSFuck” to trick users into downloading malware or get them to hand over their credentials and other information on a phishing page displayed on top of the legitimate eBay site. The vulnerability can be exploited on the eBay website and the company’s iOS and Android mobile apps.
The vulnerability was reported to eBay on December 15, but a full patch has not been released because eBay believes the risk of malicious attacks is low.
eBay doesn’t completely filter HTML code from stores because it wants to allow sellers to use active content on its marketplace. The company has cross-site scripting (XSS) filters in place to prevent abuse, but Check Point researchers found that the characters allowed by the filter are enough for an attacker to execute potentially malicious code.
By using the JSFuck technique, an attacker can insert a remote JavaScript file into an item’s description using a combination of only six non-alphanumerical characters, namely [ ] ( ) ! and +.
While it hasn’t fully patched the issue, eBay says it has implemented various security filters based on Check Point’s findings. The company has pointed out that malicious content is highly uncommon on its marketplace and estimates that less than two in a million listings use active content.
In a 2014 blog post describing how it combats XSS attacks, eBay said it uses various technologies, including a multilevel system for detecting malicious code, and mechanisms that prevent sellers from using certain types of active content in their item descriptions. The company claimed to remove listings containing malicious content within one hour of detection.
“eBay is committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure. We have not found any fraudulent activity stemming from this incident,” eBay told SecurityWeek in an emailed statement.
Related: XSS Flaw Exposed eBay Users to Phishing Attacks

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
- Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery
Latest News
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Apple Denies Helping US Government Hack Russian iPhones
