Slashdot Mirror

← Back to Stories (view on slashdot.org)

Severe and Unpatched eBay Vulnerability Allows Attackers To Distribute Malware

Posted by timothy on from the not-to-mention-unwanted-housewares dept.

An anonymous reader writes: Check Point researchers have discovered a severe vulnerability in eBay's online sales platform, which allows criminals to distribute malware and do phishing campaigns. This vulnerability allows attackers to bypass eBay's code validation and control the vulnerable code remotely, to execute malicious Javascript code on targeted eBay users.

1 of 30 comments (clear)

  1. Yep, eBay knows, and doesn't care. by jeffb+(2.718) · · Score: 4, Informative

    eBay has been open to JavaScript exploits for well over a decade. When I first realized this, I tried to make a fuss about it, but was met with uniform yawns and dismissal; the post or two that I made about it on eBay's discussion forums was summarily deleted.

    If they had been trying to allow a limited subset of JS code in listings, I still would've been alarmed, because I would bet against their ability to define a safe subset, never mind successfully blocking anything else. But it looked to me at the time like they weren't doing any blocking at all. I don't remember exactly what I did in my test listing; it might have been triggering one of their buttons (like Buy It Now) from a button in my description, or it might have been attaching a new action to one of their existing buttons. It looked like I could also have (say) rewritten the price field, so that it looked like you'd be paying one amount but actually get charged a higher amount. I didn't even start trying to generate overlays that look like eBay controls but actually did my bidding, but it looked like the opportunities were practically unlimited. I didn't push hard, and I deleted the listing before anyone else could view it, because I was doing a fair amount of business there at the time, and I didn't want to be the messenger that got shot.

    I just can't imagine what they're thinking by letting people embed arbitrary JS in listings. I'm stunned that there hasn't been a catastrophic exploit in all this time. I've assumed that I was simply overlooking some critical piece that they've implemented to guarantee security, but this story doesn't exactly instill confidence.