Using JSFUCK, attackers can bypass this safeguard and run malicious code that targets eBay’s users.
According to Check Point:
On January 16, eBay informed Check Point that it had no plans to issue a fix.
This is concerning on many levels, not the least of which is eBay’s older and less security-conscious audience that could fall victim to some pretty severe attacks. The video belows just how easy it would be for an unwitting victim to fall prey to an exploit that, for all intents and purposes, looks like a legitimate offer from eBay.
Instead, users would likely be targets for phishing or binary download attacks, most likely through a downloaded app.
We’ve reached out to eBay about JSFUCK, and will update this article should we hear back.
Update from eBay:
eBay is committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure. We have not found any fraudulent activity stemming from this incident.
The eBay spokesperson also wanted to be clear that malicious code on the platform is rare, making up “less than two listings per million.”