Popular shopping website and online auction house eBay is facing a controversy after revealing that it has no intention to fix a serious security vulnerability. If exploited, the vulnerability allows cyber criminals to target and distributed phishing and malware campaigns.
The vulnerability was discovered when security researchers at CheckPoint discovered that it is possible for malicious attackers to fundamentally bypass eBay’s code validation process. With such capabilities, it would be possible for malicious attackers to control the vulnerable code from a remote location. This could lead to troubling times for eBay users, as attackers would then have the means to execute malicious JavaScript.
Fundamentally, the vulnerability grants attackers the means to bypass a key restriction that keeps user posts from hosting JavaScript code that is then executed on end-user devices.
The Exploit
To pull a successful exploit, an attacker would simply need to create an online eBay store. Among the details of the store, the attacker would then post a malicious idem description.
Although eBay routinely prevents users from adding scripts or iFrames to the ‘Buy It Now’ and auction pages, the practice can be bypassed. Using a technique called JSF**k, attackers can create a workaround, bypassing eBay’s built-in form verification to accept a JavaScript code from a remote server.
This remote code can trick eBay users into visiting and loading a legitimate eBay page that contains the malicious code.
A blog post published by Checkpoint explained the potential fallout if the vulnerability were exploited:
The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to a very attractive product to execute the attack. The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user’s account.
Checkpoint reached out to eBay with an initial report and the proof of concept on December 15th. However, the response from the e-commerce giant was that it did not see the potential for exploit as a vulnerability.
The researchers added that the proof-of-concept exhibited the exploit through which eBay’s security policies were compromised. Malicious code was also embedded onto a seller page set up by the researchers.
“At this point, all we can do is hope that eBay will eventually decide to do something about this vulnerability,” the researchers added.
Image credit: Pixabay.
