Security researchers have discovered a new vulnerability on the eBay platform which could allow hackers to spread malware and steal personal information. According to Checkpoint the site contains a vulnerability that allows hackers to use malicious JavaScript code to target merchants and buyers and steal their information, money, and even products.
If this flaw is left unpatched then eBay’s customers will continue to be exposed to potential phishing attacks and data theft. Among the exploits that hackers can pull off with the trick is sending users to legitimate-looking pages via links or referrals that contain the malicious code. Once on the page, the JavaScript takes over, parsing a user’s computer or mobile device for information, or enrolling them in a botnet or similar hacker scheme, without their knowledge.
Checkpoint said that it had alerted eBay of the problem but it hasn’t taken any measures regarding this. but eBay isn’t interested to fix this flaw so far putting all its user’s in danger. Although eBay prevents users from including scripts or iFrames by filtering out those HTML tags, an attacker can load additional JavaScript from their server using a non-standard technique called “JSF**k”.
However Check Point discovered that using a version of JavaScript termed JSF**K , hackers are able to bypass these filters and trick users into downloading malicious apps, or present pop-up boxes asking for information.
“The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to a very attractive product to execute the attack. The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user”s account”, said Oded Vanunu, Security Research Group Manager at Check Point.
