Severe and Unpatched eBay Vulnerability Allows Attackers To Distribute Malware 30
An anonymous reader writes: Check Point researchers have discovered a severe vulnerability in eBay's online sales platform, which allows criminals to distribute malware and do phishing campaigns. This vulnerability allows attackers to bypass eBay's code validation and control the vulnerable code remotely, to execute malicious Javascript code on targeted eBay users.
Well isn't that lovely (Score:4, Funny)
Well isn't that lovely...in addition to being the eBay of Thieves, now they can infect your PC as well.
It's like an extra service, I'm only surprised they aren't charging for it.
Re: (Score:2)
An attacker can target eBay users by setting up an eBay store with listings for products. The listings page contains the malicious code. Customers can be tricked into opening the page using a pop-up message on the attacker’s eBay store enticing the user into downloading a new eBay mobile application, by offering a one-time discount. If a user taps the download button, they unknowingly download a malicious application to their device...
But damn, tricked into opening the popup message?
That seems like internet Darwinism.
Re: (Score:2)
Here's why: credit. There are sources of credit that are only easily spent on eBay and a few other online store services. That's all it takes. A lot of people who buy this stuff can't really afford it anyway, so they pay extortionate prices on eBay and such. And then they pay 25% APR on their PayPal credit after the 6 month zero-interest deal on "$100 or more" runs out.
Re: Well isn't that lovely (Score:1)
Any JavaScript is malware, as far as I'm concerned (Score:1)
As far as I'm concerned, any and all JavaScript code is a form of malware. I don't want any of it running on my computers, ever.
Re: (Score:2)
As far as I'm concerned, any and all JavaScript code is a form of malware. I don't want any of it running on my computers, ever.
And yet, here you are, posting on Slashdot... JavaScript runs deep and wide... Good luck avoiding it.
Re: (Score:2)
Ye olde HTML form still exists and works.
Re: (Score:2)
But the 7 external sites which all want to run javascript ... I don't let a single one of them do it.
Javascript is best treated as malware. But you pick and choose who you let run it.
You sure as hell don't let any old website run any old script, and call 3rd party scripts -- because that would be idiotic.
And, shockingly, that's how most of the people who make web pages expect it to work ... those ad and analytic companies and the other parasites in pages? Well, they can all fuck off and die.
Yep, eBay knows, and doesn't care. (Score:5, Informative)
eBay has been open to JavaScript exploits for well over a decade. When I first realized this, I tried to make a fuss about it, but was met with uniform yawns and dismissal; the post or two that I made about it on eBay's discussion forums was summarily deleted.
If they had been trying to allow a limited subset of JS code in listings, I still would've been alarmed, because I would bet against their ability to define a safe subset, never mind successfully blocking anything else. But it looked to me at the time like they weren't doing any blocking at all. I don't remember exactly what I did in my test listing; it might have been triggering one of their buttons (like Buy It Now) from a button in my description, or it might have been attaching a new action to one of their existing buttons. It looked like I could also have (say) rewritten the price field, so that it looked like you'd be paying one amount but actually get charged a higher amount. I didn't even start trying to generate overlays that look like eBay controls but actually did my bidding, but it looked like the opportunities were practically unlimited. I didn't push hard, and I deleted the listing before anyone else could view it, because I was doing a fair amount of business there at the time, and I didn't want to be the messenger that got shot.
I just can't imagine what they're thinking by letting people embed arbitrary JS in listings. I'm stunned that there hasn't been a catastrophic exploit in all this time. I've assumed that I was simply overlooking some critical piece that they've implemented to guarantee security, but this story doesn't exactly instill confidence.
Ebay (Score:1)
EBay itself is a severe and unpatched vulnerability. Where else can you get flawless 6 ct diamond rings for just $4
Re: (Score:2)
EBay itself is a severe and unpatched vulnerability. Where else can you get flawless 6 ct diamond rings for just $4
YOU CAN?!?! *sets keyboard on fire typing in ebay.com*
Re: (Score:1)
Yeah but on Alibaba you can get 'em by the container shipload. With added lead!
Re: (Score:2)
EBay itself is a severe and unpatched vulnerability. Where else can you get flawless 6 ct diamond rings for just $4
Yea, just watch out for the $500,000 shipping/insurance charges...
Re: (Score:2)
Really? Wana go for a ride AC? Just remember it's NOT human rated yet..
Malicious code executes on eBay users brains? (Score:1)
UX/UI is stuck in the 90s (Score:1)
Let me start by saying... Can we be less american-centric? I bet statistics show most users here are not american.
As for UX: Just look at your competitors and do the same as them. People expect certain modes of interaction.
This is like, UX haphazardly developed by "bits and bytes" geeks, and I myself am one of those old school bit logic and assembly lovers, but I'm not going to pretend I can do a decent GUI (let alone that I would enjoy it).
Showing raw ID codes for users? ID codes for posts? What. You call