EBay Changes Mind And (Partially) Fixes Site Security Flaw

Auction site eBay has performed an about-turn and fixed a potential damaging vulnerability affecting its website.

However, the company has only partially fixed the JavaScript flaw, revealed a few days ago, which could have put users at risk of downloading malware.

Today’s news comes after eBay had previously said it had no plans to perform any repairs on its site, despite the vulnerability first being revealed by security researchers CheckPoint back in December.

Overbid

The flaw, which exploited gaps in the website’s listing system, could have allowed hackers to insert malicious JavaScript code into an item description on the site.

This could have given cybercriminals an easy way to target users, either by sending a link to a very attractive product that would link to a download for malware, or by executing phishing scams purporting to come from eBay itself, offering new deals or special items.

Following CheckPoint’s reveal of its findings earlier this week, eBay says it has implemented various security filters based on Check Point’s findings, noting that it took security “very seriously”, but had yet to identify any fraudulent activity stemming from this incident.

“While not fully patched, given that we allow active content on our marketplace, it’s important to understand that malicious content on our marketplace is extraordinarily uncommon, which we estimate to be less than two listings per million that use active content on the eBay marketplace,” eBay told the BBC.

“This vulnerability allows attackers to bypass eBay’s code validation and control the vulnerable code remotely to execute malicious Java script on targeted eBay users,” said Check Point research manager Oded Vanunu.

“If this flaw is left unpatched, eBay’s customers will continue to be exposed to potential phishing attacks and data theft.”

Are you a security pro? Try our quiz!