eBay 'refuses to fix app security flaw'

Remote code execution bug leaves eBay customers at risk, says researcher

eBay sign

Auction site eBay is embroiled in yet another hacking scandal, after researchers found another serious vulnerability that could lead to malware being downloaded onto users' computers.

The flaw bypasses eBay's code validation and can be used to remotely execute malicious Javascript code on targeted eBay users' devices, revealed security firm Check Point, which discovered the flaw late last year.

The mobile-focused attack allows a cyber criminal to "target eBay users by setting up an eBay store with listings for products", Check Point said.

It added: "The listings page contains the malicious code. Customers can be tricked into opening the page using a pop-up message on the attacker's eBay store enticing the user into downloading a new eBay mobile application, by offering a one-time discount."

If the victim taps on the pop-up to accept, it will download a malicious app to their phone, which can then steal data from the user's browser or eBay app, opening them up to phishing attacks or malware infections.

Oded Vanunu, security research group manager at Check Point, said: "The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to a very attractive product to execute the attack.

"The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user's account."

Perhaps more worryingly, however, is that eBay intends to do nothing about the issue, according to Check Point.

The organisation said that it contacted eBay on 15 December to disclose the vulnerability but that on 16 January the auction site said it had no plans to fix it. EBay did not address this claim when IT Pro asked for a response.

The news comes just weeks after a cross-site scripting (XSS) vulnerability was disclosed on the main eBay site by researcher MLT.

This attack, while different, also exploited Javascript that could allegedly lead to phishing attacks and theft of login credentials.

MLT also told IT Pro they contacted eBay about the vulnerability in December and while eBay did eventually fix it in January, MLT said eBay was generally slow to respond.

IT Pro has also been told eBay has something of "a bad track record" dealing with security researchers, including allegedly refusing to take vulnerability and security reports from hobbyists.

The firm declined to comment on the allegations levelled by Check Point specifically, but a spokesperson told IT Pro: "As a company, we're committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure."

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Microsoft spearheads industry-wide charter against AI cyber attacks
Security

Microsoft spearheads industry-wide charter against AI cyber attacks

23 Oct 2020
Weekly threat roundup: Chrome, Citrix and WordPress
Security

Weekly threat roundup: Chrome, Citrix and WordPress

23 Oct 2020
IT services giant Sopra Steria falls victim to Ryuk ransomware
Security

IT services giant Sopra Steria falls victim to Ryuk ransomware

23 Oct 2020
CMS platforms succumb to KashmirBlack botnet as businesses rush online
Security

CMS platforms succumb to KashmirBlack botnet as businesses rush online

22 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
The enemy of security is complexity
Sponsored

The enemy of security is complexity

9 Oct 2020
IBM and SAP expand partnership to support software on hybrid cloud
Cloud

IBM and SAP expand partnership to support software on hybrid cloud

21 Oct 2020