Leave a comment

EBay has a 'severe' security bug

EBay has a 'severe' security bug
PHOTO COURTESY OF SHUTTERSTOCK

In a world where new online businesses seem to come and go with the wind, eBay has stuck around. With its longevity, the company has also developed its own reputation. You hear "eBay" and you think of deals, one-of-a-kind finds, private selling, convenience and simplicity. But, what you don't typically think of is malware.

The next time you shop on eBay, maybe you should. The site was recently found to have a "severe" vulnerability for hackers to implant malware and phishing pages.

Researchers from Check Point Software identified the problem, which allows hackers to manipulate the existing restriction that stops user posts from hosting the JavaScript code that runs on the end-user device. The restriction was originally put in place for the user's benefit, and designed to keep scammers from creating false auctions. But, hackers have figured out a way around it.

With a new, highly-sophisticated coding technique, hackers are able to add JavaScript into their posts. This allows them to create pages that look entirely legitimate, but contain malicious code. Oded Vanunu, a Check Point researcher, explained, "Customers can be tricked into opening the page, and the code will then be executed by the user's browser or mobile app, leading to multiple ominous scenarios that range from phishing to binary download."

What's most troubling is that researchers from Check Point notified the appropriate parties at eBay in mid-December, and nothing was done to correct the problem. And, in January, eBay notified Check Point that it had no intention of implementing a fix.

Since then, Check Point has gone public with the information they found, and media outlets have let the word out. Yet, eBay has only changed its tune slightly.

Media outlets that have covered the story have received a response from eBay, stating the following: "eBay is committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure. We have not found any fraudulent activity stemming from this incident."

The response goes on to say that eBay has "been in touch with a researcher" and have "implemented various security filters based on his findings". According to the statement, eBay estimates that malicious content on the site is less than two listings per million.

Next Story
Source: Ars Technica
View Comments ()
Is your blog carrying malware? See how absurdly easy it is for hackers hijack your site
Previous Happening Now

Is your blog carrying malware? See how absurdly easy it is for hackers hijack your site

If you can't figure out this brain teaser, ask a kid for help
Next Happening Now

If you can't figure out this brain teaser, ask a kid for help