Another dangerous eBay security vulnerability was recently discovered by researchers. This allows fraudsters using a highly advanced coding technique known as JSfuck, to install malware on unsuspecting members smartphones.
We have been observing eBay security vulnerabilities back as far as 2004, examples are HereHere and Here. Why they allow this sloppy security is anyone’s best guess. But we believe profits trump good security. 😆
From arstechnica.com: eBay has no plans to fix a “severe” vulnerability that allows attackers to use the company’s trusted website to distribute malicious code and phishing pages, researchers from security firm Check Point Software said.
“An attacker could target eBay users by sending them a legitimate page that contains malicious code,” Check Point researcher Oded Vanunu wrote in a blog post published Tuesday. “Customers can be tricked into opening the page, and the code will then be executed by the user’s browser or mobile app, leading to multiple ominous scenarios that range from phishing to binary download.”
The post went on to say that Check Point researchers privately reported the security hole to eBay in mid-December. On January 16, eBay officials informed Check Point that they had no plans to issue a fix. The post didn’t explain the reason behind eBay’s decision. Update: In an e-mail sent to Ars after this post went live, eBay officials wrote: “eBay is committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure. We have not found any fraudulent activity stemming from this incident.”
The e-mail added: Also, it’s important to understand that we have been in touch with the researcher and have implemented various security filters based on his findings to detect this exploit. Since we allow active content on our site it’s important to understand that malicious content on our marketplace is extraordinarily uncommon, which we estimate to be less than two listings per million that use active content on the eBay marketplace.
As shown, the message which appears on eBay’s website application (specifically, on the attacker’s store on the eBay site) entices the unsuspecting user into downloading a new eBay mobile application by offering a one-time discount.
For example, if a user taps the `download` button, he will unknowingly download a malicious application to his mobile device.
Example Android and iPhone jsfuck vulnerability popup windows