Popular shopping website and online auction house eBay is facing a controversy after revealing that it has no intention to fix a serious security vulnerability. If exploited, the vulnerability allows cyber criminals to target and distributed phishing and malware campaigns.
To pull a successful exploit, an attacker would simply need to create an online eBay store. Among the details of the store, the attacker would then post a malicious idem description.
This remote code can trick eBay users into visiting and loading a legitimate eBay page that contains the malicious code.
A blog post published by Checkpoint explained the potential fallout if the vulnerability were exploited:
The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to a very attractive product to execute the attack. The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user’s account.
Checkpoint reached out to eBay with an initial report and the proof of concept on December 15th. However, the response from the e-commerce giant was that it did not see the potential for exploit as a vulnerability.
The researchers added that the proof-of-concept exhibited the exploit through which eBay’s security policies were compromised. Malicious code was also embedded onto a seller page set up by the researchers.
“At this point, all we can do is hope that eBay will eventually decide to do something about this vulnerability,” the researchers added.
Image credit: Pixabay.