A group of researchers from Check Point have discovered a vulnerability affecting the eBay online sales platform that could allow attackers to launch phishing attacks against visitors.
The attack scenario is very simple, hackers can target eBay users by sending them a legitimate page that contains malicious code. By using social engineering the users can be tricked into opening the malicious page triggering the code execution, leading to multiple attack scenarios that range from phishing to binary download.
“Check Point has discovered a severe vulnerability in eBay’s online sales platform. This vulnerability allows attackers to bypass eBay’s code validation and control the vulnerable code remotely to execute malicious Java script code on targeted eBay users. If this flaw is left unpatched, eBay’s customers will continue to be exposed to potential phishing attacks and data theft.” states a blog post published by the company.
The attacker would have to use JSF**k, a non-standard technique, in their description to pull the code. The researchers discovered that while eBay forbids users from including scripts and iFrames in descriptions by filtering it, the validation mechanism fails in the presence of JSF**k code.
What it the JSF**k?
eBay doesn’t filter it allowing attackers to use it to launch the attack bypassing the validation mechanism in place.
The bad news it that the researchers reported the issue to eBay on Dec. 15 2015, but just two weeks ago the company replied that it had no plans to solve the problem.
“As we demonstrated to the eBay security team in the proof of concept, we were able to bypass their security policies and insert a malicious code to our seller page without any difficulty or restriction,” continues the post.
Below the proof-of-concept video.
(Security Affairs – eBay, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.