Researchers Claim New eBay Flaw Could Lead to Data Theft

ebayThe flaw could allow an attacker to remotely bypass the e-commerce giant’s code validation checks to serve up malicious JavaScript to a victim, according to Check Point.

The security vendor claimed that the attack methodology is fairly straightforward.

A hacker first needs to set up an eBay store and then insert malicious code into the product listings page. Punters could then be tricked into opening the page via a pop-up offering them a one-time discount if they download a new ‘eBay mobile app’.

Hitting ‘download’ will trigger a download of a malicious app in the background – exposing the user to phishing or further malware downloads.

Although eBay prevents users from including scripts or iFrames by filtering out those HTML tags, an attacker can load additional JavaScript from their server using a non-standard technique called “JSF**k.”

Inserting this remotely controllable JavaScript enables the attacker to create multiple payloads for a different user agent.

Check Point said it disclosed its findings to eBay on 15 December last year, but on 16 January the trading platform responded that it had no plans to fix it.

The security firm and e-commerce platform are now in a stand-off. The latter believes its security controls on active content are sufficient, while Check Point thinks they can be bypassed.

Although eBay performs verification checks on code, it only strips alpha-numeric characters from inside the script tags, Check Point claimed. The JSF**k technique allows hackers to circumvent this protection by using a very limited and reduced number of characters.

“The eBay attack flow provides cyber-criminals with a very easy way to target users: sending a link to a very attractive product to execute the attack,” said Oded Vanunu, Check Point security research group manager, in a statement.

“The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user’s account.”

When contacted by Infosecurity, Check Point claimed that eBay had provided no update to its position aside from this generic statement:

“As a company, we’re committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure.”

SOURCE: Phil Muncaster | Infosecurity Magazine


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s