eBay refuses to patch website flaw that can serve up malware

[starbuck]

The e-commerce giant confirmed it would not fix the flaw, which could allow an attacker to remotely run code in a user's browser.

 

 

eBay will not fix a flaw in its website that could allow an attacker to serve malware to unsuspecting site users.

 

Israeli security firm and firewall maker Check Point disclosed a "severe" vulnerability that would allow an attacker to bypass eBay's code validation and remotely executive malicious code on the e-commerce site's users.

 

Because of the nature of the vulnerability, an attacker can execute remote code that steals local data, injects code into unencrypted sites that could trick a user into turning over usernames and passwords, or even initiate malware or ransomware downloads.

 

An attacker would have to use non-standard programming code to embed malicious content on their own online store, because the platform prevents scripts and IFRAMES (which can host third-party site content) from loading. Check Point researchers were able to bypass some of these script-preventing measures by using just six different characters.

 

After Check Point privately reported the vulnerability on December 15, eBay said a month later that it has no plans to fix the flaw.

 

eBay, which serves more than 162 million across 30 countries based on its fiscal fourth-quarter earnings, said that it has "not found any fraudulent activity stemming from this incident."

 

The spokesperson added that "while not fully patched," the e-commerce giant has "implemented various security filters based on his findings," but did not provide additional details.

 

 

 

Source:

http://www.zdnet.com/article/ebay-refuses-to-patch-website-flaw-that-allows-hackers-to-serve-up-malware/#ftag=RSSbaffb68

[allheart55 Cindy E]

Makes me glad that I stopped using eBay years ago.

[Bill M.]

Yews indeedy!