eBay Vulnerability Exposes Users to Data Theft and Phishing Attacks

The eBay site is used by millions of people and as a result, has a level of trust with its users buying and selling countless items each day. Imagine then, how lucrative a target this massive user base could be for an attacker. Check Point’s security researchers have found just such a vulnerability in eBay that allows malicious users to bypass the code validation that is in-place and remotely control the vulnerable code to execute malicious Javascript code on the browsers of targetted users.

Check Point warn that leaving the flaw unpatched will expose the online marketplace’s huge userbase to the risk of data theft and phishing attacks while eBay believes that the actual risk of a malicious attack is very low. eBay was made aware of the vulnerability on December 15th, but they are yet to issue a complete patch for the weakness, instead claiming to have implemented additional security filters based on the report to reduce the risk.

eBay told Security Week “eBay is committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure. We have not found any fraudulent activity stemming from this incident.”

One of the ways that an attacker could target eBay users is by first sending them to a legitimate page which contains the malicious code. By setting up an eBay store and adding malicious code to the description section of items, users can be tricked by attackers into visiting pages containing harmful code. This code could do a number of things once opened, from phishing for data or even downloading binaries to the computer or device. eBay report that as few as two in a million items listed on their site use active content, making the chance of being targeted by malicious content is low. Despite this, Check Point stated that they have demonstrated a proof-of-concept for the attack to the eBay security team, with them able to bypass restrictions and deploy malicious code to their seller page without any difficulty.

The finding was made public by Check Point public on Tuesday, hoping that it may push the e-commerce site to patch the vulnerability quickly. This is a good example of how even the sites that seem the most trustworthy can hide potential danger. Until a patch is released, taking care when using eBay may just be the best bet.

Security Firm Sued For Incorrect Forensics Report

Remember when you are watching those TV shows, you know the ones, where government agencies are trying to track down bad guys who have breached a “secure” network? Happens in real life too, with companies like Affinity Gaming finding out the hard way.

Affinity gaming is a Las Vegas-based casino operator who discovered back in 2013 that their network had been breached and people were able to get to the credit card data. Sounds familiar right? Affinity Gaming hired the security firm Trustwave to investigate and isolate the breach, effectively fixing the problem. At the end of the investigation, they claimed that the data breach was “contained”, then adding comments on how to “fend off future data attacks”.

Affinity Gaming then found that they were suffering another data breach, for which they hired the data security firm Mandiant to investigate. It was during Mandiant’s investigation that they worked out the work previously done was only on a “subset of Affinity Gaming’s data security”. This coupled with the fact that they “had failed to identify the means by which the attacker had breached” their systems meant that overall Affinity Gaming believes Trustwave was responsible for “misrepresentations and grossly negligent performance” which in turn they believe cost them “significant out of pocket losses”.

Listing 76 steps outlying their interactions between the three companies and now the complaint, you can see why if one company promised to protect your data and then was found to have failed this task, you would want your money back.

Growing Number of Consumers Expect Internet of Things to Change Connected Homes


The Internet of Things (IoT) is still in its infancy, but manufacturers are speculating that a growing number of people want to enjoy home electronics connected to the Internet, according to a recent survey published by Fortinet.

Sixty-one percent of respondents say a connected home is “extremely likely” to be a reality by 2019.  A whopping 84 percent of survey respondents in China pledged support towards the IoT craze, the report states.

When it comes to IoT security, there are three concerns:  Data loss, malware, and unauthorized access of IoT-connected devices.  Sixty-eight of those surveyed in the U.S. are “extremely concerned” or “somewhat concerned” about data breaches and other security issues stemming from IoT.

Here is what John Maddison, Fortinet VP of Marketing, said in a press statement:

“The Internet of Things promises many benefits to end-users, but also presents grave security and data privacy challenges.  Crossing these hurdles will require clever application of various security technologies, including remove connection authentication, virtual private networks between end-users and their connected home devices, malware and botnet protection, and application security – applied on premises, in the cloud and as an integrated solution by device manufacturers.”

Looking ahead, IoT growth is expected to evolve into a booming industry – research group IDC expects IoT to hit $7.1 trillion by 2020, and companies will need to blend IoT connected home features with strong security and ease-of-use for consumers.

Thank you to Fortinet for providing us with this information

Image courtesy of Digital Trends