Check Point warn that leaving the flaw unpatched will expose the online marketplace’s huge userbase to the risk of data theft and phishing attacks while eBay believes that the actual risk of a malicious attack is very low. eBay was made aware of the vulnerability on December 15th, but they are yet to issue a complete patch for the weakness, instead claiming to have implemented additional security filters based on the report to reduce the risk.
eBay told Security Week “eBay is committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure. We have not found any fraudulent activity stemming from this incident.”
One of the ways that an attacker could target eBay users is by first sending them to a legitimate page which contains the malicious code. By setting up an eBay store and adding malicious code to the description section of items, users can be tricked by attackers into visiting pages containing harmful code. This code could do a number of things once opened, from phishing for data or even downloading binaries to the computer or device. eBay report that as few as two in a million items listed on their site use active content, making the chance of being targeted by malicious content is low. Despite this, Check Point stated that they have demonstrated a proof-of-concept for the attack to the eBay security team, with them able to bypass restrictions and deploy malicious code to their seller page without any difficulty.
The finding was made public by Check Point public on Tuesday, hoping that it may push the e-commerce site to patch the vulnerability quickly. This is a good example of how even the sites that seem the most trustworthy can hide potential danger. Until a patch is released, taking care when using eBay may just be the best bet.