“The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to a very attractive product to execute the attack. The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user’s account,” said Oded Vanunu, Security Research Group Manager at Check Point. “Check Point continues to be on the lookout for vulnerabilities in common software apps and Internet platforms. By disclosing threats as they are discovered today, we protect the future.”
According to Check Point, the flaw was discovered and the company then disclosed the nature of the vulnerability to eBay on December 15 of last year. Just over a month later, eBay has stated that they have no plans to fix the vulnerability, as eBay allows active content with strict guidelines — but guidelines that Check Point was able to bypass and provide a proof of concept that they had done so.
The vulnerability uses a technique called JSF**k.
Check Point security researcher Roman Zaikin recently discovered a vulnerability that allows attackers to execute malicious code on eBay users’ devices, using a non-standard technique called “JSF**k.” This vulnerability could allow cyber criminals to use eBay as a phishing and malware distribution platform.
eBay performs simple verification, but only strips alpha-numeric characters from inside the script tags. The JSF**k technique allows the attackers to get around this protection by using a very limited and reduced number of characters.
In the example Check Point set up, when a user visits a malicious store on eBay from a desktop computer or mobile device, they are prompted to install a new eBay Discount App, offering a 25% savings on that day’s purchase to further entice the user to click the download button. Because the prompt appears on the official eBay site, it’s easy to see how a user can be tricked into downloading the malicious app, or clicking download and unknowingly cause malicious code to run on their computer.
Once the app is downloaded and installed, the attacker would potentially be able to access and steal data on the user’s device.
If you want further details on how the exploit works, you can head over to the Check Point site and read about the coding logic behind the eBay vulnerability. Until eBay posts a fix, you’ll want to be extra wary of any pop ups and offers that you may receive while on the eBay website.
h/t Derek ThorsonSource: Check Point