eBay Vulnerability Allows Attackers To Bypass Code Validation

Security / Tech

Check Point, a company focused on IT security, has uncovered an eBay vulnerability that allows attackers to bypass the online auction and sales site’s code validation. Once the code validation is bypassed, this allows hackers to control code remotely and execute malicious Javascript code against eBay users.

“The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to a very attractive product to execute the attack. The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user’s account,” said Oded Vanunu, Security Research Group Manager at Check Point. “Check Point continues to be on the lookout for vulnerabilities in common software apps and Internet platforms. By disclosing threats as they are discovered today, we protect the future.”

According to Check Point, the flaw was discovered and the company then disclosed the nature of the vulnerability to eBay on December 15 of last year. Just over a month later, eBay has stated that they have no plans to fix the vulnerability, as eBay allows active content with strict guidelines — but guidelines that Check Point was able to bypass and provide a proof of concept that they had done so.

The vulnerability uses a technique called JSF**k.

Check Point security researcher Roman Zaikin recently discovered a vulnerability that allows attackers to execute malicious code on eBay users’ devices, using a non-standard technique called “JSF**k.” This vulnerability could allow cyber criminals to use eBay as a phishing and malware distribution platform.

To exploit this vulnerability, all an attacker needs to do is create an online eBay store. In his store details, he posts a maliciously crafted item description. eBay prevents users from including scripts or iFrames by filtering out those HTML tags. However, by using JSF**k, the attacker is able to create a code that will load an additional JS code from his server. This allows the attacker to insert a remote controllable JavaScript that he can adjust to, for example, create multiple payloads for a different user agent.

eBay performs simple verification, but only strips alpha-numeric characters from inside the script tags. The JSF**k technique allows the attackers to get around this protection by using a very limited and reduced number of characters.

In the example Check Point set up, when a user visits a malicious store on eBay from a desktop computer or mobile device, they are prompted to install a new eBay Discount App, offering a 25% savings on that day’s purchase to further entice the user to click the download button. Because the prompt appears on the official eBay site, it’s easy to see how a user can be tricked into downloading the malicious app, or clicking download and unknowingly cause malicious code to run on their computer.

eBay vulnerability screenshot

Once the app is downloaded and installed, the attacker would potentially be able to access and steal data on the user’s device.

If you want further details on how the exploit works, you can head over to the Check Point site and read about the coding logic behind the eBay vulnerability. Until eBay posts a fix, you’ll want to be extra wary of any pop ups and offers that you may receive while on the eBay website.

h/t Derek Thorson

  Source: Check Point
To Top