Severe and Unpatched eBay Vulnerability Allows Attackers To Distribute Malware

An anonymous reader writes: Check Point researchers have discovered a severe vulnerability in eBay's online sales platform, which allows criminals to distribute malware and do phishing campaigns. This vulnerability allows attackers to bypass eBay's code validation and control the vulnerable code remotely, to execute malicious Javascript code on targeted eBay users.

Well isn't that lovely

[JustAnotherOldGuy]

Well isn't that lovely...in addition to being the eBay of Thieves, now they can infect your PC as well.

It's like an extra service, I'm only surprised they aren't charging for it.

Re:Well isn't that lovely

[rmdingler]

Infections from ebay are right next to not new,

An attacker can target eBay users by setting up an eBay store with listings for products. The listings page contains the malicious code. Customers can be tricked into opening the page using a pop-up message on the attacker’s eBay store enticing the user into downloading a new eBay mobile application, by offering a one-time discount. If a user taps the download button, they unknowingly download a malicious application to their device...

But damn, tricked into opening the popup message?

That seems like internet Darwinism.

Re:Well isn't that lovely

Naw, if you buy any electronic item, you will get two floor tiles instead of the normal one.

Realistically, who uses eBay, unless it is some oddball item that can't be bought from a more reliable vendor? There are no good deals there, especially with the generations of sniping and auction management software that works as well as a HFT calculator to find stuff underpriced and buy it. Local places and Amazon usually do better.

As for selling stuff, eBay isn't great either. A buyer can do a chargeback and walk off laughing.

Re: Well isn't that lovely

All of the auction sites are a joke. They tend to hook the gambling crowd. You know... The people who just have to have the thrill of the win. I see used shit on eBay, ubid, etc all the time that sells for a price substantially higher than the retail cost of buying the same damn thing brand new. Fuck, look at the nexus 6p on swppa. These fuckers are selling dented phones for $150-200 more than what it costs to get a brand new one from Google play store. And people actually pay money for that shit.

Re: Well isn't that lovely

[hackwrench]

I like it for buying not quite the newest but still contains useful information programming books. A lot of times they can beat Amazon on price and one vendor had/has a buy three get one free deal. I can't look the vendor up at the moment because I'm on my phone and Chrome has a nasty habit of dumping buffers when you switch to another tab and Slashdot's preview function is oddly missing. But anyways, it's rare I have to spend more than $5 for any book. Sometimes I don't get an item matching the description but sellers are generally good about either refunding the money outright without sending the item back, or at least an offer that is better than going through the process of sending the item back. Oh, and ink, can't forget ink. Sometimes people sell lots at good prices, but stay away from the onea that offer around 50 assorted DVDs that are chosen at random, because the DVDs are low quality. I say this while acknowledging that many people might say my standards for entertainment are low.

Re:Well isn't that lovely

> But damn, tricked into opening the popup message?

> That seems like internet Darwinism.

Don't know about eBay, but I get to sites to open up on me when I'm browsing e.g. local news: aliexepress.com and namorico.me (me being "Mexico" AFAIU and "namorico" is "little flirtation" in Portuguese... thus a dating site of sorts, I suppose... or worse).

I already toggled "warn me if sites try to reload or redirect pages" but it was to no avail. Editing the hosts file seems to be a little more complicated these days, not the simple "vi hosts" of yore (at least it seems not to work).

Erasing cookies, cache & whatever I noticed something funny: I go to site "A" then to site "B" and it automatically goes back to site "A" after a few moments (1 to 2 seconds). The only way to prevent that is by pressing Esc to interrupt site B when it's loading. Pretty weird, seems some kind of javascript.

This is a way to take someone to an undesired page (Darwin not involved, thus).

Re: Well isn't that lovely

I recommend buying, not so much settling except in the case of rare/collectable.

Do you have any other recommendations?

Re: Well isn't that lovely

[tibit]

Here's why: credit. There are sources of credit that are only easily spent on eBay and a few other online store services. That's all it takes. A lot of people who buy this stuff can't really afford it anyway, so they pay extortionate prices on eBay and such. And then they pay 25% APR on their PayPal credit after the 6 month zero-interest deal on "$100 or more" runs out.

Any JavaScript is malware, as far as I'm concerned

As far as I'm concerned, any and all JavaScript code is a form of malware. I don't want any of it running on my computers, ever.

LUDDITE!

Modern app appers know that only apps can app apps, and you're a LUDDITE if you don't app apps apped in AppScript!

Apps!

Yep, eBay knows, and doesn't care.

[jeffb+(2.718)]

eBay has been open to JavaScript exploits for well over a decade. When I first realized this, I tried to make a fuss about it, but was met with uniform yawns and dismissal; the post or two that I made about it on eBay's discussion forums was summarily deleted.

If they had been trying to allow a limited subset of JS code in listings, I still would've been alarmed, because I would bet against their ability to define a safe subset, never mind successfully blocking anything else. But it looked to me at the time like they weren't doing any blocking at all. I don't remember exactly what I did in my test listing; it might have been triggering one of their buttons (like Buy It Now) from a button in my description, or it might have been attaching a new action to one of their existing buttons. It looked like I could also have (say) rewritten the price field, so that it looked like you'd be paying one amount but actually get charged a higher amount. I didn't even start trying to generate overlays that look like eBay controls but actually did my bidding, but it looked like the opportunities were practically unlimited. I didn't push hard, and I deleted the listing before anyone else could view it, because I was doing a fair amount of business there at the time, and I didn't want to be the messenger that got shot.

I just can't imagine what they're thinking by letting people embed arbitrary JS in listings. I'm stunned that there hasn't been a catastrophic exploit in all this time. I've assumed that I was simply overlooking some critical piece that they've implemented to guarantee security, but this story doesn't exactly instill confidence.

Re:Yep, eBay knows, and doesn't care.

Aren't you busy mapping mankind's glorious 3D printed future in space for the next millennium?

Re: Yep, eBay knows, and doesn't care.

And don't forget, saving the world with graphene.

  In fact, that needs to be one of the Presidential debate questions. Please tell us, in 3 mins or less, what you plan to do about Iran's 3d printed graphene refinement and its potential impact on minorities?

Re:Yep, eBay knows, and doesn't care.

Man, only if there was a secondary rendering engine that could be separated from the main UI, it would be so awesome so nobody has to worry about UI tampering. .

I'd download that in a Flash.;)

Re: Yep, eBay knows, and doesn't care.

And don't forget, saving the world with graphene.

  In fact, that needs to be one of the Presidential debate questions. Please tell us, in 3 mins or less, what you plan to do about Iran's 3d printed graphene refinement and its potential impact on minorities?

Answer:
the UN Security Council has fully vetted Irans pencil sharpener operations as compliant with UN regulations. Increased production of these tools of mass education can only help to bolster the test scores and standard of living among the minorities in Iranian inner cities and rural commuities. As such I fully endorse their program and will advise our armed forces to begin Blackwing overflight operations in conjuction with ongoing UN aide and pink eraser distribution efforts in the region.

Re:Yep, eBay knows, and doesn't care.

Or webcomponents.

Re:Yep, eBay knows, and doesn't care.

Except, I stopped downloading Flash when I realized that, despite how imperfect web browsers have been at implementing security, Flash's was much worse.

When I really needed to render Flash content recently (to use a web interface for a device), I was quite pleased with Shumway.

Wow: CAPTCHA word: condom

Ebay

EBay itself is a severe and unpatched vulnerability. Where else can you get flawless 6 ct diamond rings for just $4

Re:Ebay

[mentil]

EBay itself is a severe and unpatched vulnerability. Where else can you get flawless 6 ct diamond rings for just $4

YOU CAN?!?! *sets keyboard on fire typing in ebay.com*

Re:Ebay

[Ann+O'Nymous-Coward]

Yeah but on Alibaba you can get 'em by the container shipload. With added lead!

Re:Ebay

[bobbied]

EBay itself is a severe and unpatched vulnerability. Where else can you get flawless 6 ct diamond rings for just $4

Yea, just watch out for the $500,000 shipping/insurance charges...

It takes 30 days to receieve an ebay payment

But Elon Musk has a spaceship

Re:It takes 30 days to receieve an ebay payment

[bobbied]

Really? Wana go for a ride AC? Just remember it's NOT human rated yet..

Re:Any JavaScript is malware, as far as I'm concer

[bobbied]

As far as I'm concerned, any and all JavaScript code is a form of malware. I don't want any of it running on my computers, ever.

And yet, here you are, posting on Slashdot... JavaScript runs deep and wide... Good luck avoiding it.

Re:Any JavaScript is malware, as far as I'm concer

[sexconker]

Ye olde HTML form still exists and works.

No surprise, they're idiots

I've done business with eBay's IT org for years, and I do business with various other enterprise IT shops.

eBay's group is among the worst. Basically clueless, all the time.

This is no surprise.

Re:Any JavaScript is malware, as far as I'm concer

[gstoddart]

But the 7 external sites which all want to run javascript ... I don't let a single one of them do it.

Javascript is best treated as malware. But you pick and choose who you let run it.

You sure as hell don't let any old website run any old script, and call 3rd party scripts -- because that would be idiotic.

And, shockingly, that's how most of the people who make web pages expect it to work ... those ad and analytic companies and the other parasites in pages? Well, they can all fuck off and die.

Malicious code executes on eBay users brains?

[tetraverse]

I hadn't realized modern malware could execute in peoples brains without first going through a computer. Seriously though, how does the code get onto the mobile device without the user first downloading and installing the malware.

UX/UI is stuck in the 90s

[eggstasy]

Let me start by saying... Can we be less american-centric? I bet statistics show most users here are not american.
As for UX: Just look at your competitors and do the same as them. People expect certain modes of interaction.
This is like, UX haphazardly developed by "bits and bytes" geeks, and I myself am one of those old school bit logic and assembly lovers, but I'm not going to pretend I can do a decent GUI (let alone that I would enjoy it).
Showing raw ID codes for users? ID codes for posts? What. You call this web design?
I mean I stare at IDs in databases all day long, but normal users shouldn't see the guts of a system.
What other website / forum has such a limited number of votes?
The zoo system. Do people actually use that? It's strange and unwieldy.
Preview? Why? Can we just edit our posts like everyone else has been doing for the past 15 years, in forums, social networks, whatever?
Why do we have to have a privileged few random people moderating? In other places, everyone can vote, or "Like", or "+1" a post.

Re:UX/UI is stuck in the 90s

You must be new here...