Security researchers from Check Point have discovered that it is possible for attackers to bypass eBays code validation process and instead control the vulnerable code remotely, using it to execute malicious Java Script.
All the attacker has to do is create an online eBay store and post an item for sale, injecting malicious code into its description page. Usually eBay prevents users from adding scripts or iFrames to auction and Buy It Now pages, but by using a technique called JSF**k, it is possible to create a code that can get around eBays form verification and accept a Java Script code from an external server, so the attacker can remotely execute different types of malicious code.
The code is able to trick eBay users into visiting a legitimate eBay page that contains the malicious code. As the video above shows, once the page loads on to the eBay users computer or device, the code can then cause a fake pop-up to load on the page masquerading as an official eBay offer, asking the user to either sign into their account again to gain their credentials in a phishing attack, or to download malware masquerading as a new eBay app.
Check Point says that its researchers discovered the vulnerability in December 2015 and disclosed the details to eBay, but on 16 January, eBay responded that they have no intention of fixing the vulnerability, so the researchers decided to publicise their findings.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now