eBay Bug Leaves Auctions Exposed To Malware, But eBay Has No Plans To Fix It

Kyle Nofuente, Tech Times 05 February 2016, 07:02 am

eBay buyers, beware - there's a new bug making rounds on the buy-and-sell marketplace that allows hackers to embed malware into auction pages.

Oddly enough, however, eBay has known about the issue since last December and reportedly has no plans to address it. The company reasons that though they've improved security filters throughout its platform, it sees no reason to block this bug from being further exploited.

"Since we allow active content on our site it's important to understand that malicious content on our marketplace is extraordinarily uncommon, which we estimate to be less than two listings per million that use active content on the eBay marketplace," said eBay in response to the issue.

Check Point Software, the security firm that discovered the malicious software, says the vulnerability allows attackers to phish unsuspecting users and infect their devices. Using a programming technique called JSF**K, hackers can get around a restriction that would normally prevent users from embedding JavaScript codes into their auction pages.

That's how easy it is. An attacker simply has to create an auction page for any product, deploy JSF**K, and attach the malicious code to load even more JS code into a user's internet browser.

Here's how it works - when a visitor visits a rigged auction page on eBay, they will be prompted to download an app to receive a discount. A "You are lucky!" pops up asking the user to download an app (sometimes asking for their email and eBay password) to be eligible for a 25 percent discount offer. Upon clicking or tapping the offer (the bug works both on desktop and mobile browsers), the malware takes over in the background.

"The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to a very attractive product to execute the attack. ... Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user's account," warns Check Point.

To stay safe, it's best to follow the "think before you click" rule - just don't click or tap on anything that prompts you to install or download something, especially if it's unwarranted action and for a third-party app. Left unchecked, users will remain exposed to more phishing attacks and possible data theft.

Photo: Brian Cantoni | Flickr