The eBay site is used by millions of people and as a result, has a level of trust with its users buying and selling countless items each day. Imagine then, how lucrative a target this massive user base could be for an attacker. Check Point’s security researchers have found just such a vulnerability in eBay that allows malicious users to bypass the code validation that is in-place and remotely control the vulnerable code to execute malicious Javascript code on the browsers of targetted users.
Check Point warn that leaving the flaw unpatched will expose the online marketplace’s huge userbase to the risk of data theft and phishing attacks while eBay believes that the actual risk of a malicious attack is very low. eBay was made aware of the vulnerability on December 15th, but they are yet to issue a complete patch for the weakness, instead claiming to have implemented additional security filters based on the report to reduce the risk.
eBay told Security Week “eBay is committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure. We have not found any fraudulent activity stemming from this incident.”
One of the ways that an attacker could target eBay users is by first sending them to a legitimate page which contains the malicious code. By setting up an eBay store and adding malicious code to the description section of items, users can be tricked by attackers into visiting pages containing harmful code. This code could do a number of things once opened, from phishing for data or even downloading binaries to the computer or device. eBay report that as few as two in a million items listed on their site use active content, making the chance of being targeted by malicious content is low. Despite this, Check Point stated that they have demonstrated a proof-of-concept for the attack to the eBay security team, with them able to bypass restrictions and deploy malicious code to their seller page without any difficulty.
The finding was made public by Check Point public on Tuesday, hoping that it may push the e-commerce site to patch the vulnerability quickly. This is a good example of how even the sites that seem the most trustworthy can hide potential danger. Until a patch is released, taking care when using eBay may just be the best bet.
Electronic Arts (EA) announced today that its games were played for over 11 billion hours…
Steam's annual end-of-year recap, Steam Replay, provides fascinating insights into gamer habits by comparing individual…
GSC GameWorld released a major title update for STALKER 2 this seeking, bringing the game…
Without any formal announcement, Intel appears to have revealed its new Core 200H series processors…
Ubisoft is not having the best of times, but despite recent flops, the company still…
If you haven’t started playing STALKER 2: Heart of Chornobyl yet, now might be the…