eBay Vulnerability Exposes Users to Phishing, Data Theft

Researchers are warning that visitors to eBay.com could be tricked into opening a page on the site that could expose them to phishing attacks and data theft.

Researchers are warning that some visitors to eBay.com could be tricked into opening a page on the site that could expose them to phishing attacks and data theft.

The vulnerability exists in the site’s online sales platform, according to Roman Zaikin, a researcher with Check Point. With it, an attacker could bypass the site’s code validation and execute malicious JavaScript on users via their browser, or mobile app, the firm warned Tuesday.

Check Point disclosed the issue to eBay on Dec. 15 last year but when it got back to the firm, just over two weeks ago, the company claimed it had no plans to fix the issue.

“As we demonstrated to the eBay security team in the proof of concept, we were able to bypass their security policies and insert a malicious code to our seller page without any difficulty or restriction,” the firm writes.

When reached on Tuesday eBay insisted they haven’t seen any attackers exploiting the vulnerability.

“eBay is committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure. We have not found any fraudulent activity stemming from this incident,” a spokesperson with the company said.

Zaikin claims the vulnerability could be exploited if an attacker created an eBay store and used a maliciously crafted item description. By using a specific type of programming language, eBay would then unknowingly load additional script from the attackers’ own server.

The attacker would have to use JSF**k, a non-standard programming style, in their description to pull that code, Zaikin claims. While eBay forbids users from including scripts and iFrames in descriptions – it usually filters out HTML tags – eBay permits JSF**k code.

Invented a few years ago the language calls itself an “esoteric and educational” programming style “based on the atomic parts of JavaScript.”

Since JSF**k only uses six different characters – []()!+, and eBay only strips alpha-numeric ones from inside tags, attackers could bypass protections put up by the company.

“This allows the attacker to insert a remote controllable JavaScript that he can adjust to, for example, create multiple payloads for a different user agent,” Check Point writes, adding that an attacker could use it to trick a victim into downloading a malicious app or use the vulnerability to carry out phishing attacks.

Suggested articles

Threatpost News Wrap, July 8, 2016

Mike Mimoso, Tom Spring and Chris Brook discuss the news of the week, including all things Android: the crypto weakness, the full disk encryption bypass, and new malware, Hummingbad, which impacts the mobile operating system. The three also discuss the TP-Link router fiasco.

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.