Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security

Severe and Unpatched eBay Vulnerability Allows Attackers To Distribute Malware 30

An anonymous reader writes: Check Point researchers have discovered a severe vulnerability in eBay's online sales platform, which allows criminals to distribute malware and do phishing campaigns. This vulnerability allows attackers to bypass eBay's code validation and control the vulnerable code remotely, to execute malicious Javascript code on targeted eBay users.
This discussion has been archived. No new comments can be posted.

Severe and Unpatched eBay Vulnerability Allows Attackers To Distribute Malware

Comments Filter:
  • by JustAnotherOldGuy ( 4145623 ) on Tuesday February 02, 2016 @07:04PM (#51425525)

    Well isn't that lovely...in addition to being the eBay of Thieves, now they can infect your PC as well.

    It's like an extra service, I'm only surprised they aren't charging for it.

    • Infections from ebay are right next to not new,

      An attacker can target eBay users by setting up an eBay store with listings for products. The listings page contains the malicious code. Customers can be tricked into opening the page using a pop-up message on the attacker’s eBay store enticing the user into downloading a new eBay mobile application, by offering a one-time discount. If a user taps the download button, they unknowingly download a malicious application to their device...

      But damn, tricked into opening the popup message?

      That seems like internet Darwinism.

  • As far as I'm concerned, any and all JavaScript code is a form of malware. I don't want any of it running on my computers, ever.

    • As far as I'm concerned, any and all JavaScript code is a form of malware. I don't want any of it running on my computers, ever.

      And yet, here you are, posting on Slashdot... JavaScript runs deep and wide... Good luck avoiding it.

      • Ye olde HTML form still exists and works.

      • But the 7 external sites which all want to run javascript ... I don't let a single one of them do it.

        Javascript is best treated as malware. But you pick and choose who you let run it.

        You sure as hell don't let any old website run any old script, and call 3rd party scripts -- because that would be idiotic.

        And, shockingly, that's how most of the people who make web pages expect it to work ... those ad and analytic companies and the other parasites in pages? Well, they can all fuck off and die.

  • by jeffb (2.718) ( 1189693 ) on Tuesday February 02, 2016 @07:14PM (#51425567)

    eBay has been open to JavaScript exploits for well over a decade. When I first realized this, I tried to make a fuss about it, but was met with uniform yawns and dismissal; the post or two that I made about it on eBay's discussion forums was summarily deleted.

    If they had been trying to allow a limited subset of JS code in listings, I still would've been alarmed, because I would bet against their ability to define a safe subset, never mind successfully blocking anything else. But it looked to me at the time like they weren't doing any blocking at all. I don't remember exactly what I did in my test listing; it might have been triggering one of their buttons (like Buy It Now) from a button in my description, or it might have been attaching a new action to one of their existing buttons. It looked like I could also have (say) rewritten the price field, so that it looked like you'd be paying one amount but actually get charged a higher amount. I didn't even start trying to generate overlays that look like eBay controls but actually did my bidding, but it looked like the opportunities were practically unlimited. I didn't push hard, and I deleted the listing before anyone else could view it, because I was doing a fair amount of business there at the time, and I didn't want to be the messenger that got shot.

    I just can't imagine what they're thinking by letting people embed arbitrary JS in listings. I'm stunned that there hasn't been a catastrophic exploit in all this time. I've assumed that I was simply overlooking some critical piece that they've implemented to guarantee security, but this story doesn't exactly instill confidence.

  • by Anonymous Coward

    EBay itself is a severe and unpatched vulnerability. Where else can you get flawless 6 ct diamond rings for just $4

    • by mentil ( 1748130 )

      EBay itself is a severe and unpatched vulnerability. Where else can you get flawless 6 ct diamond rings for just $4

      YOU CAN?!?! *sets keyboard on fire typing in ebay.com*

    • Yeah but on Alibaba you can get 'em by the container shipload. With added lead!

    • EBay itself is a severe and unpatched vulnerability. Where else can you get flawless 6 ct diamond rings for just $4

      Yea, just watch out for the $500,000 shipping/insurance charges...

  • I hadn't realized modern malware could execute in peoples brains without first going through a computer. Seriously though, how does the code get onto the mobile device without the user first downloading and installing the malware.
  • Let me start by saying... Can we be less american-centric? I bet statistics show most users here are not american.
    As for UX: Just look at your competitors and do the same as them. People expect certain modes of interaction.
    This is like, UX haphazardly developed by "bits and bytes" geeks, and I myself am one of those old school bit logic and assembly lovers, but I'm not going to pretend I can do a decent GUI (let alone that I would enjoy it).
    Showing raw ID codes for users? ID codes for posts? What. You call

Base 8 is just like base 10, if you are missing two fingers. -- Tom Lehrer

Working...