Check Point researchers have discovered a severe vulnerability in eBay’s online sales platform, which allows criminals to distribute malware and run phishing campaigns.

This vulnerability allows attackers to bypass eBay’s code validation and control the vulnerable code remotely, to execute malicious Javascript code on targeted eBay users. If this flaw is left unpatched, eBay users will continue to be exposed to potential phishing attacks and data theft.

Details

An attacker can target eBay users by setting up an eBay store with listings for products. The listings page contains the malicious code. Customers can be tricked into opening the page using a pop-up message on the attacker’s eBay store enticing the user into downloading a new eBay mobile application, by offering a one-time discount.

If a user taps the download button, they unknowingly download a malicious application to their device, and the code will be executed by the user’s browser or mobile app, leading to multiple ominous scenarios that range from phishing to downloads of malware. Here’s a video of how it works:

“The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to a very attractive product to execute the attack. The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user’s account,” said Oded Vanunu, Security Research Group Manager at Check Point.

After the flaw was discovered, Check Point disclosed details of the vulnerability to eBay on Dec 15, 2015. However, on January 16, 2016, eBay stated that they have no plans to fix the vulnerability.