Update: eBay 'cesspit' has 'no plans' to fix severe vulnerability

Though a large vulnerability was discovered in eBay's global sales platform, the company has 'no plans' to fix the active code exploit.

The global bidding giant was deaf to this particular disclosure
The global bidding giant was deaf to this particular disclosure
eBay will apparently not be fixing a ‘severe vulnerability' on the company's global sales platform. Check Point Software's research team apparently disclosed details of just such a vulnerability in mid-December last year.
But, according to Check Point, on 16 January eBay stated in a private communication to the company that it had no plans to fix the vulnerability. 

Scams have been known to take place on eBay, in fact it seems reasonable for a platform so large to miss a few things occasionally. This particular vulnerability, though not yet seen exploited in the wild, is particularly large and Check Point's proof of concept, according to the company, works. 

This ‘severe vulnerability' allows the bypass of the global bidding platform's code validation, from which point, any wilful attacker can manipulate the vulnerable code remotely and release malicious javascript code on users. If the vulnerability is left unpatched, Check Point told press in a statement “eBay's customers will continue to be exposed to potential phishing attacks and data theft.” 

When an attacker sets up an eBay shop he or she can add a listings page which may be laden with malicious code. With a simple pop-up message on the store, advertising an eBay mobile app discount, any passing prey can be lured into downloading a malicious app. From there, an array of the usual suspects can be unleashed onto the infected machine; anything from phishing to downloading malware, according to Check Point. 

The company's Magento e-commerce platform was assaulted by hackers in June last year and the year before that an XSS vulnerability in eBay's platform was exposed by the BBC in 2014. Magento split from eBay enterprise in November last year.

 

It was Check Point researcher Roman Zalkin who made the above video and discovered the vulnerability as an ongoing investigation into flaws and vulnerabilities, using a technique colourfully monikered “JSF**K”. While eBay doesn't let users put in scripts or iFrames, JSF**K allows the dogged hacker to insert additional, remotely controllable JavaScript from their own server that, according to Check Point's statement they, "can use to create multiple payloads for a different user agent”. 

This was disclosed late last year closely followed by a proof of concept and a rundown of the details, but in a private communication between Checkpoint and eBay on 16 January the online auctioneering giant declared that it would not be fixing the vulnerability as it allows ‘active content' 

Active content is software code that automatically performs an action, say, opening a pop up. This is the tool that the vulnerability seems to hinge on. A spokesperson from Check Point spoke to SCMagazineUK.com saying that though the eBay's policies allow certain active code, and, “should be able to automatically prevent malicious parties from uploading malicious code to eBay store pages,” this exploit, “allows the hacker to get around eBay's policy and upload malicious code.” 

Check Point apparently can't comment on the company's decision not to address this vulnerability but is, “publishing the details of its findings with the aim of eBay addressing the issue.” 

Such a cool response has in turn elicited an icy one from around the industry. Norman Shaw, CEO and founder of ExactTrak, a specialist mobile security company put it plainly to SC. “eBay is clearly wrong not to provide a fix”, said Shaw, “it is being cavalier with customer's information that can be hijacked and used for illegal purposes or even terrorism.” 

"This is a classic example where the senior executives need to be held accountable and dealt with accordingly. They fall foul of the requirement to provide a robust customer data protection infrastructure, in addition to watching what happens to the executives,” Shaw told SC

Shaw believes that perhaps the best way to bring the company to heel, “is for the payments company it is using to suspend its ability to take money. This would mean that until there is a verifiable fix, customers will not be able to put their details into the eBay cesspit.”

SC spoke to an eBay spokesperson from the company who commented that at eBay “we're committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure.”

Sign up to our newsletters