There are hundreds of millions of people that spend a great amount of time every day surfing through the eBay.com domain to shop for almost everything they want or need to buy.
That is why it is a cause of major concern when I heard the news of a massive phishing campaign that targets eBay visitors. Worse, the phishing attacks could lead to the theft of data that belong to these users.
The report first came from security researchers at Check Point, who spotted the phishing attacks designed to trick eBay visitors into clicking a link on eBay that would redirect them to a domain where the attack would be launched.
The eBay flaw has been found in the website’s online sales platform, where a hacker is able to work his way around the code validation process of eBay and implement the malicious JavaScript on the browser being used by the victim.
In this case, the attacker can insert a remotely controlled JavaScript into eBay’s seller page in order to make several payloads for a different user agent. The attacker can also use the JavaScript to lure the victim into downloading and installing a malicious app and launch phishing campaigns.
Check Point security experts spotted the issue around December of 2015 and has alerted eBay to the situation at once, but site hosting company reportedly told Check Point recently that it would not release a fix to the vulnerability.
It would be irresponsible on the part of eBay to leave hundreds of millions of site visitors susceptible to the flaw. There was no lack of evidence from the security researchers who demonstrated with much conviction that they successfully bypassed the security hurdles with eBay and introduced a malicious code to the seller page of the online shopping giant. The execution was made with no difficulty, the researchers claimed.
The reason behind eBay’s refusal to address the problem is the apparent lack of evidence pointing to the fact that attackers have actually taken advantage of the issue to launch attacks on eBay visitors. The situation must reach its extremes, then, before eBay decides to take the necessary action to contain the problem at hand.
eBay released a customary statement in which it reiterates its commitment to protecting the marketplace for the millions of users who turn to the site from across the world to sell or buy something.
The company says it takes reports about security issues very seriously and assess the report according to the company’s security infrastructure. But with regards to the report from Check Point, eBay says it has not found any compelling evidence pointing to a serious security issue.
