eBay refuses to patch website flaw that can serve up malware

The e-commerce giant confirmed it would not fix the flaw, which could allow an attacker to remotely run code in a user's browser.

(Image: CNET/CBS Interactive)

eBay will not fix a flaw in its website that could allow an attacker to serve malware to unsuspecting site users.

Israeli security firm and firewall maker Check Point disclosed a "severe" vulnerability that would allow an attacker to bypass eBay's code validation and remotely executive malicious code on the e-commerce site's users.

Because of the nature of the vulnerability, an attacker can execute remote code that steals local data, injects code into unencrypted sites that could trick a user into turning over usernames and passwords, or even initiate malware or ransomware downloads.

An attacker would have to use non-standard programming code to embed malicious content on their own online store, because the platform prevents scripts and IFRAMES (which can host third-party site content) from loading. Check Point researchers were able to bypass some of these script-preventing measures by using just six different characters.

After Check Point privately reported the vulnerability on December 15, eBay said a month later that it has no plans to fix the flaw.

eBay, which serves more than 162 million across 30 countries based on its fiscal fourth-quarter earnings, said that it has "not found any fraudulent activity stemming from this incident."

The spokesperson added that "while not fully patched," the e-commerce giant has "implemented various security filters based on his findings," but did not provide additional details.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All