In mid-December, researchers at security firm Check Point Software reported a security vulnerability to eBay. This vulnerability is an appropriately-named (JSFUCK) exploit that bypasses restrictions by eBay on how it handles hosted JavaScript within its listings.
Using JSFUCK, attackers can bypass this safeguard and run malicious code that targets eBay’s users.
According to Check Point:
To exploit this vulnerability, all an attacker needs to do is create an online eBay store. In his store details, he posts a maliciously crafted item description. eBay prevents users from including scripts or iFrames by filtering out those HTML tags. However, by using JSF**k, the attacker is able to create a code that will load an additional JS code from his server. This allows the attacker to insert a remote controllable JavaScript that he can adjust to, for example, create multiple payloads for a different user agent.
On January 16, eBay informed Check Point that it had no plans to issue a fix.
This is concerning on many levels, not the least of which is eBay’s older and less security-conscious audience that could fall victim to some pretty severe attacks. The video belows just how easy it would be for an unwitting victim to fall prey to an exploit that, for all intents and purposes, looks like a legitimate offer from eBay.
Instead, users would likely be targets for phishing or binary download attacks, most likely through a downloaded app.
We’ve reached out to eBay about JSFUCK, and will update this article should we hear back.
Update from eBay:
eBay is committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure. We have not found any fraudulent activity stemming from this incident.
The eBay spokesperson also wanted to be clear that malicious code on the platform is rare, making up “less than two listings per million.”
➤ eBay Platform Exposed to Severe Vulnerability [Check Point Software via Ars Technica]
Get the TNW newsletter
Get the most important tech news in your inbox each week.