Severe and unpatched eBay vulnerability allows attackers to distribute malware
Check Point researchers have discovered a severe vulnerability in eBay’s online sales platform, which allows criminals to distribute malware and run phishing campaigns.
An attacker can target eBay users by setting up an eBay store with listings for products. The listings page contains the malicious code. Customers can be tricked into opening the page using a pop-up message on the attacker’s eBay store enticing the user into downloading a new eBay mobile application, by offering a one-time discount.
If a user taps the download button, they unknowingly download a malicious application to their device, and the code will be executed by the user’s browser or mobile app, leading to multiple ominous scenarios that range from phishing to downloads of malware. Here’s a video of how it works:
“The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to a very attractive product to execute the attack. The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user’s account,” said Oded Vanunu, Security Research Group Manager at Check Point.
After the flaw was discovered, Check Point disclosed details of the vulnerability to eBay on Dec 15, 2015. However, on January 16, 2016, eBay stated that they have no plans to fix the vulnerability.