On December 15, 2105, Israeli security firm Check Point, informed the e-commerce giant, eBay about an online sales platform vulnerability. This flaw would allow cyber criminals to distribute phishing attacks and deploy malicious code on eBay’s users. On February 2, 2016 after demonstrating that the hackers could bypass eBay’s security initiatives, Check Point went public with the information, as eBay claimed there are no immediate plans to fix the issue.
The attackers would create an online eBay store and implement a technique called “JSF**k” that uses parts of Java Script. In the store, they would create a maliciously written description using 6 limited and reduced characters: “ () +!”, since eBay filters out HTML tags by alpha-numerically striping the characters. While this prevents users from including scripts, it allows the attackers to insert this controllable script that could show up as a message to users.
The vulnerability message would appear similar to the images below. Acting on eBay’s website application, the goal was to entice a user to download this new mobile through advertising a one-time discount offer. As soon as the user clicks the download message, simultaneously a malicious application would be downloading on their mobile device. Another potential way to access private information is though a Gmail or Facebook pop-up requiring a user to input their username and password.
Image retrieved from Check Point
To date, eBay still does not have any plans to patch the vulnerability, although representatives did speak to SC Magazine commenting that “we’re committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire infrastructure.”
Connect with Secure Sense to protect data, your network, and systems 24/7, 365 days a year. If you have questions or want to learn more, please contact Secure Sense by calling 866-999-7506. Follow us on LinkedIn and Twitter @Securesense for current company and industry news.