A severe vulnerability affects eBay, be careful to phishing attacks

Pierluigi Paganini February 03, 2016

Researchers from Check Point have discovered a flaw affecting the eBay platform that could allow attackers to launch phishing attacks against visitors.

A group of researchers from Check Point have discovered a vulnerability affecting the eBay online sales platform that could allow attackers to launch phishing attacks against visitors.

Visitors could be tricked into opening a page on the site that could expose them to phishing attacks, this is possible because the attacker could bypass the site’s code validation and execute malicious JavaScript on users via their browser, or mobile app.

The attack scenario is very simple, hackers can target eBay users by sending them a legitimate page that contains malicious code. By using social engineering the users can be tricked into opening the malicious page triggering the code execution, leading to multiple attack scenarios that range from phishing to binary download.

“Check Point has discovered a severe vulnerability in eBay’s online sales platform. This vulnerability allows attackers to bypass eBay’s code validation and control the vulnerable code remotely to execute malicious Java script code on targeted eBay users. If this flaw is left unpatched, eBay’s customers will continue to be exposed to potential phishing attacks and data theft.” states a blog post published by the company.

ebay flaw

The attacker would have to use JSF**k, a non-standard technique, in their description to pull the code. The researchers discovered that while eBay forbids users from including scripts and iFrames in descriptions by filtering it, the validation mechanism fails in the presence of JSF**k code.

What it the JSF**k?

JSFuck is an esoteric and educational programming style based on the atomic parts of JavaScript that uses only six different characters,– []()!+, to write and execute code, this is the description reported in on the official website.

eBay doesn’t filter it allowing attackers to use it to launch the attack bypassing the validation mechanism in place.

“This allows the attacker to insert a remote controllable JavaScript that he can adjust to, for example, create multiple payloads for a different user agent,” Check Point writes, adding that an attacker could use it to trick a victim into downloading a malicious app or use the vulnerability to carry out phishing attacks.

The bad news it that the researchers reported the issue to eBay on Dec. 15 2015, but just two weeks ago the company replied that it had no plans to solve the problem.

“As we demonstrated to the eBay security team in the proof of concept, we were able to bypass their security policies and insert a malicious code to our seller page without any difficulty or restriction,” continues the post.

Below the proof-of-concept video.

Pierluigi Paganini

(Security Affairs – eBay, hacking)

 



you might also like

leave a comment