Severe and Unpatched eBay Vulnerability Allows Attackers To Distribute Malware

← Back to Stories (view on slashdot.org)

Severe and Unpatched eBay Vulnerability Allows Attackers To Distribute Malware

Posted by timothy on Tuesday February 2, 2016 @11:50AM from the not-to-mention-unwanted-housewares dept.

An anonymous reader writes: Check Point researchers have discovered a severe vulnerability in eBay's online sales platform, which allows criminals to distribute malware and do phishing campaigns. This vulnerability allows attackers to bypass eBay's code validation and control the vulnerable code remotely, to execute malicious Javascript code on targeted eBay users.

15 of 30 comments (clear)

Min score:

Reason:

Sort:

Well isn't that lovely by JustAnotherOldGuy · 2016-02-02 12:04 · Score: 3, Funny

Well isn't that lovely...in addition to being the eBay of Thieves, now they can infect your PC as well.
It's like an extra service, I'm only surprised they aren't charging for it.

--
Just cruising through this digital world at 33 1/3 rpm...
1. Re:Well isn't that lovely by rmdingler · 2016-02-02 12:39 · Score: 1
  
  Infections from ebay are right next to not new,
  
  An attacker can target eBay users by setting up an eBay store with listings for products. The listings page contains the malicious code. Customers can be tricked into opening the page using a pop-up message on the attacker’s eBay store enticing the user into downloading a new eBay mobile application, by offering a one-time discount. If a user taps the download button, they unknowingly download a malicious application to their device...
  But damn, tricked into opening the popup message?
  That seems like internet Darwinism.
  
  --
  Happiness in intelligent people is the rarest thing I know.
  Ernest Hemingway
2. Re: Well isn't that lovely by hackwrench · 2016-02-02 13:32 · Score: 1
  
  I like it for buying not quite the newest but still contains useful information programming books. A lot of times they can beat Amazon on price and one vendor had/has a buy three get one free deal. I can't look the vendor up at the moment because I'm on my phone and Chrome has a nasty habit of dumping buffers when you switch to another tab and Slashdot's preview function is oddly missing. But anyways, it's rare I have to spend more than $5 for any book. Sometimes I don't get an item matching the description but sellers are generally good about either refunding the money outright without sending the item back, or at least an offer that is better than going through the process of sending the item back. Oh, and ink, can't forget ink. Sometimes people sell lots at good prices, but stay away from the onea that offer around 50 assorted DVDs that are chosen at random, because the DVDs are low quality. I say this while acknowledging that many people might say my standards for entertainment are low.
3. Re: Well isn't that lovely by tibit · 2016-02-03 02:39 · Score: 1
  
  Here's why: credit. There are sources of credit that are only easily spent on eBay and a few other online store services. That's all it takes. A lot of people who buy this stuff can't really afford it anyway, so they pay extortionate prices on eBay and such. And then they pay 25% APR on their PayPal credit after the 6 month zero-interest deal on "$100 or more" runs out.
  
  --
  A successful API design takes a mixture of software design and pedagogy.
Any JavaScript is malware, as far as I'm concerned by Anonymous Coward · 2016-02-02 12:05 · Score: 1

As far as I'm concerned, any and all JavaScript code is a form of malware. I don't want any of it running on my computers, ever.
Yep, eBay knows, and doesn't care. by jeffb+(2.718) · 2016-02-02 12:14 · Score: 4, Informative

eBay has been open to JavaScript exploits for well over a decade. When I first realized this, I tried to make a fuss about it, but was met with uniform yawns and dismissal; the post or two that I made about it on eBay's discussion forums was summarily deleted.
If they had been trying to allow a limited subset of JS code in listings, I still would've been alarmed, because I would bet against their ability to define a safe subset, never mind successfully blocking anything else. But it looked to me at the time like they weren't doing any blocking at all. I don't remember exactly what I did in my test listing; it might have been triggering one of their buttons (like Buy It Now) from a button in my description, or it might have been attaching a new action to one of their existing buttons. It looked like I could also have (say) rewritten the price field, so that it looked like you'd be paying one amount but actually get charged a higher amount. I didn't even start trying to generate overlays that look like eBay controls but actually did my bidding, but it looked like the opportunities were practically unlimited. I didn't push hard, and I deleted the listing before anyone else could view it, because I was doing a fair amount of business there at the time, and I didn't want to be the messenger that got shot.
I just can't imagine what they're thinking by letting people embed arbitrary JS in listings. I'm stunned that there hasn't been a catastrophic exploit in all this time. I've assumed that I was simply overlooking some critical piece that they've implemented to guarantee security, but this story doesn't exactly instill confidence.
Ebay by Anonymous Coward · 2016-02-02 12:25 · Score: 1

EBay itself is a severe and unpatched vulnerability. Where else can you get flawless 6 ct diamond rings for just $4
1. Re:Ebay by mentil · 2016-02-02 12:45 · Score: 1
  
  EBay itself is a severe and unpatched vulnerability. Where else can you get flawless 6 ct diamond rings for just $4
  YOU CAN?!?! *sets keyboard on fire typing in ebay.com*
  
  --
  Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
2. Re:Ebay by Ann+O'Nymous-Coward · 2016-02-02 12:58 · Score: 1
  
  Yeah but on Alibaba you can get 'em by the container shipload. With added lead!
3. Re:Ebay by bobbied · 2016-02-02 13:03 · Score: 1
  
  EBay itself is a severe and unpatched vulnerability. Where else can you get flawless 6 ct diamond rings for just $4
  Yea, just watch out for the $500,000 shipping/insurance charges...
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Re:Any JavaScript is malware, as far as I'm concer by bobbied · 2016-02-02 13:01 · Score: 1

As far as I'm concerned, any and all JavaScript code is a form of malware. I don't want any of it running on my computers, ever.
And yet, here you are, posting on Slashdot... JavaScript runs deep and wide... Good luck avoiding it.

--
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Re:It takes 30 days to receieve an ebay payment by bobbied · 2016-02-02 13:05 · Score: 1

Really? Wana go for a ride AC? Just remember it's NOT human rated yet..

--
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Re:Any JavaScript is malware, as far as I'm concer by sexconker · 2016-02-02 13:18 · Score: 1

Ye olde HTML form still exists and works.
Re:Any JavaScript is malware, as far as I'm concer by gstoddart · 2016-02-02 15:10 · Score: 1

But the 7 external sites which all want to run javascript ... I don't let a single one of them do it.
Javascript is best treated as malware. But you pick and choose who you let run it.
You sure as hell don't let any old website run any old script, and call 3rd party scripts -- because that would be idiotic.
And, shockingly, that's how most of the people who make web pages expect it to work ... those ad and analytic companies and the other parasites in pages? Well, they can all fuck off and die.

--
Lost at C:>. Found at C.
Malicious code executes on eBay users brains? by tetraverse · 2016-02-02 20:07 · Score: 1

I hadn't realized modern malware could execute in peoples brains without first going through a computer. Seriously though, how does the code get onto the mobile device without the user first downloading and installing the malware.