The loophole was discovered by the security researchers from Check Point Software in December, and even contacted eBay to make them aware of the exploit, which takes advantage of the site’s rules on hosting JavaScript within listings. The security researchers say if this flaw is left unpatched, eBay users will continue to be exposed to potential phishing attacks and data theft. Here’s how it works: an attacker sets up a store page with listings for products. On the page, a pop-up message will appear telling customers that if they download the eBay mobile app, they can receive a limited-time discount. By clicking the download button, the user will unintentionally download the code and put their device at risk. An example of the process can be seen in the video below:
“The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to a very attractive product to execute the attack. The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user’s account,” said Oded Vanunu, Security Research Group Manager at Check Point. eBay has said that it’s been in contact with Check Point following their discovery. On the other hand, eBay has said it has no plans to address the vulnerability, as they think the use of the exploit to be incredibly rare. In an email to Ars, eBay wrote, “eBay is committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure. We have not found any fraudulent activity stemming from this incident.” The e-mail added: Also, it’s important to understand that we have been in touch with the researcher and have implemented various security filters based on his findings to detect this exploit. Since we allow active content on our site it’s important to understand that malicious content on our marketplace is extraordinarily uncommon, which we estimate to be less than two listings per million that use active content on the eBay marketplace. It is common knowledge these days that you should never accept prompts to install or download something from a webpage, especially if it’s for a third-party app in order to keep your devices safe.