Serious Vulnerability Exposes eBay Users to Data Theft, Phishing Attacks
A serious vulnerability has been discovered in eBay, exposing users to malware and phishing attacks.
eBay has no plans to fix a serious flaw:
eBay, however, believes that the risk of malicious attacks is very low. The vulnerability was reported to the company on December 15, but a full patch is yet to be released. eBay says that it has implemented various security filters based on Check Point's findings to reduce the risk of attacks. It said in a statement to Security Week:
eBay is committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure. We have not found any fraudulent activity stemming from this incident.
According to Check Point, an attacker could target eBay users by sending them a legitimate page containing malicious code. After setting up an online eBay store, adding malicious code to the item description section, criminals can trick users into visiting the page hiding malicious code inside. Once the page opens, the code will be executed by the user's browser or mobile app, leading to "multiple ominous scenarios that range from phishing to binary download."
eBay points out that the malicious content is highly uncommon on its marketplace and only less than two in a million listings use active content. Check Point retorts that it demonstrated to the eBay security team in the PoC that it was able to "bypass their security policies and insert a malicious code to our seller page without any difficulty or restriction."
Check Point has made its findings available to public this Tuesday and wishes to see eBay patching up the vulnerability. However, eBay doesn't seem to have any plans to fix the severe vulnerability. For more details on this flaw, please visit Check Point.