Check Point finds ‘serious’ eBay security flaw
Auction site is said to have no intention of fixing breach found by Israeli firm, which could leave buyers, sellers vulnerable to hack attacks
Israeli cybersecurity firm Check Point on Tuesday revealed what it said was a “serious” flaw in the security of online e-commerce and auction giant eBay.
According to Check Point, the site contains a vulnerability that allows hackers to use malicious JavaScript code to target merchants and buyers and steal their information, money, and products.
The vulnerability enables attackers to bypass eBay’s code validation – which ensures that the data being handle by the site is legitimate – and instead remotely execute malicious JavaScript code. All 160 million eBay users are potentially affected, Israel’s Channel 2 news said.
According to Check Point, “if this flaw is left unpatched, eBay’s customers will continue to be exposed to potential phishing attacks and data theft.”
Among the exploits that hackers can pull off with the trick is sending users to legitimate-looking pages via links or referrals that contain the malicious code. Once on the page, the JavaScript takes over, parsing a user’s computer or mobile device for information, or enrolling them in a botnet or similar hacker scheme, without their knowledge.
In a video released with the information about the breach, Check Point demonstrated how the malicious code could be used to insert phony coupon codes to make it appear as if a buyer paid for merchandise. In the video, a hacker is seen using the vulnerability to buy a watch worth over $100,000 for free – using a coupon code “worth” over $100,000.
It should be noted that there is no record of the vulnerability actually being used. In a blog post, Check Point said that it had alerted eBay of the problem, but the platform “stated that they have no plans to fix the vulnerability.” As a result, said Checkpoint, “the exploit is still live.”
“The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to a very attractive product to execute the attack. The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user’s account,” said Oded Vanunu, Security Research Group Manager at Check Point. “Check Point continues to be on the lookout for vulnerabilities in common software apps and Internet platforms. By disclosing threats as they are discovered today, we protect the future.”
comments