eBay bug lets hackers embed malicious code into public sale pages

eBay bug lets hackers embed malicious code into auction pages

Safety agency Examine Level Software program has found an eBay vulnerability that provides attackers a method to make use of the web site to phish unsuspecting customers or to contaminate their units. As long as attackers use a programming method often known as JSFUCK, they will bypass a key restriction that forestalls individuals from embedding JavaScript codes into public sale pages. These codes will run when the web page is opened on both a cellular or a desktop browser. Within the video under, for example, somebody despatched an eBay hyperlink to a cellular consumer, who was then prompted to put in a malware masquerading as a “low cost app” upon viewing the merchandise’s particulars.

In response to Examine Level Software program’s weblog publish, the agency notified eBay of the flaw again in December, however the firm stated it did not have plans to repair the vulnerability. eBay advised Ars Technica, nevertheless, that it has been in contact with Verify Level Software program and that it has “carried out numerous safety filters” based mostly on its findings. The marketplace additionally added that it hasn’t detected any fraudulent exercise that takes benefit of the bug but:

Since we permit lively content material on our website it is essential to know that malicious content material on our market is awfully unusual, which we estimate to be lower than two listings per million that use lively content material on the eBay market.

Nonetheless, in case you come throughout an public sale web page that asks you to put in or obtain something, do not forget this flaw and ensure to click on Cancel.

By way of: Ars Technica
Supply: Examine Level
On this article: ebay, gear, safety