eBay bug allows hackers to distribute malware and phishing campaigns

Popular auction website ‘eBay’ has been found to contain a bug within listings, allowing attackers to embed potentially malicious Javascript code.

Security researchers over at Check Point have discovered the bug in eBay, the popular online auction website, allowing for attackers to bypass eBay’s code validation on auctions and sales. The bypass could allow for Javascript based malicious code to be run on users machines, potentially aiding in malware distribution and phishing campaigns.

Check Point stated on their blog “An attacker could target eBay users by sending them a legitimate page that contains malicious code. Customers can be tricked into opening the page, and the code will then be executed by the user’s browser or mobile app, leading to multiple ominous scenarios that range from phishing to binary download.”

The bug was disclosed to eBay responsibly on Dec 15th 2015, however, according to Check Point, on Jan 16th eBay stated that they have no plans to fix the vulnerability.

Author Description

Martyn Price

Main editor at PCI-News aswell as IT technician, network engineer, systems administrator, website designer, manager and Data recovery specialist at PCI Xpress ltd

No comments yet.

Join the Conversation