Security Flaw in eBay Exposes Users to Malware and Phishing Attacks

By | February 3, 2016

eBay

We can see that day by day cyber crime is increasing very fast. All the organisations are also taking strong steps to protect their data over internet.

All in this, One Security firm Check Point identified a serious vulnerability in eBay. According to the reported vulnerability attacker can exploited it for malware and phishing attacks.

This vulnerability allows attackers to bypass eBay’s code validation and control the vulnerable code remotely to execute malicious Java script code on targeted eBay users.

eBay, the online auction and e-commerce giant, has locations in over 30 countries and serves more than 150 million active users worldwide. As a successful company with a massive customer base, it’s no surprise that the corporation has been the target of many cyberattacks.

The issue was reported to eBay on Tuesday but the e-commerce giant believes the risk is low.

The input validation issue affects the “item description” field of eBay stores. Researchers discovered that because only certain characters are stipped by eBay from script tags, an attacker can insert code designed to call a malicious JavaScript file from a remote server.

How issue can be exploited

Issue 1

An attacker can set up an online eBay store and add malicious code to the item description section. They can then attempt to trick users into visiting the page containing the malicious code by sending them a link to their eBay store.

Issue 2

Check Point security researcher Roman Zaikin discovered one more  vulnerability that allows attackers to execute malicious code on eBay users’ devices, using a non-standard technique called “JSF**k.” This vulnerability could allow cyber criminals to use eBay as a phishing and malware distribution platform.

Check Point also provided some POC videos for the reported issues.

 

 

What is JSF**k

It is written by Martin Kleppe, this technique, which uses non-alphanumeric characters, allows the attacker to bypass IDSsIPSs  and WAFs payload sanitation. Only 6 different characters are used: []()!+

The following basic vocabulary helps us write anything we need:

  1. [ and ] – Access array elements, objects properties, get numbers and cast elements to strings.
  2. ( and ) – Call functions and avoid parsing errors.
  3. + – Append strings, sum and cast elements to numbers.
  4. ! – Cast elements to Booleans.

eBay has started to fix the reported issues. According to the eBay statement

We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure.

Subscribe for latest security updates