Security researchers are warning of a new vulnerability on the eBay platform which could allow hackers to spread malware and steal personal information.
The flaw could allow an attacker to remotely bypass the e-commerce giant’s code validation checks to serve up malicious JavaScript to a victim, according to Check Point.
The security vendor claimed that the attack methodology is fairly straightforward.
A hacker first needs to set up an eBay store and then insert malicious code into the product listings page. Punters could then be tricked into opening the page via a pop-up offering them a one-time discount if they download a new ‘eBay mobile app’.
Hitting ‘download’ will trigger a download of a malicious app in the background – exposing the user to phishing or further malware downloads.
Although eBay prevents users from including scripts or iFrames by filtering out those HTML tags, an attacker can load additional JavaScript from their server using a non-standard technique called “JSF**k.”
Inserting this remotely controllable JavaScript enables the attacker to create multiple payloads for a different user agent.
Check Point said it disclosed its findings to eBay on 15 December last year, but on 16 January the trading platform responded that it had no plans to fix it.
The security firm and e-commerce platform are now in a stand-off. The latter believes its security controls on active content are sufficient, while Check Point thinks they can be bypassed.
Although eBay performs verification checks on code, it only strips alpha-numeric characters from inside the script tags, Check Point claimed. The JSF**k technique allows hackers to circumvent this protection by using a very limited and reduced number of characters.
“The eBay attack flow provides cyber-criminals with a very easy way to target users: sending a link to a very attractive product to execute the attack,” said Oded Vanunu, Check Point security research group manager, in a statement.
“The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user’s account.”
When contacted by Infosecurity, Check Point claimed that eBay had provided no update to its position aside from this generic statement:
“As a company, we’re committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure.”
Image credit: Ingvar Bjork / Shutterstock.com