Researchers are warning that some visitors to eBay.com could be tricked into opening a page on the site that could expose them to phishing attacks and data theft.
Check Point disclosed the issue to eBay on Dec. 15 last year but when it got back to the firm, just over two weeks ago, the company claimed it had no plans to fix the issue.
“As we demonstrated to the eBay security team in the proof of concept, we were able to bypass their security policies and insert a malicious code to our seller page without any difficulty or restriction,” the firm writes.
When reached on Tuesday eBay insisted they haven’t seen any attackers exploiting the vulnerability.
“eBay is committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure. We have not found any fraudulent activity stemming from this incident,” a spokesperson with the company said.
The attacker would have to use JSF**k, a non-standard programming style, in their description to pull that code, Zaikin claims. While eBay forbids users from including scripts and iFrames in descriptions – it usually filters out HTML tags – eBay permits JSF**k code.
Since JSF**k only uses six different characters – ()!+, and eBay only strips alpha-numeric ones from inside tags, attackers could bypass protections put up by the company.