eBay has no plans to fix ‘severe’ vulnerability that could infect users with malware
Ron Czapala
Posts: 2,418
http://thenextweb.com/insider/2016/02/03/ebay-has-no-plans-to-fix-severe-vulnerability-that-could-infect-users-with-malware/
In mid-December, researchers at security firm Check Point Software reported a security vulnerability to EBay. This vulnerability is an appropriately-named (JSF**K) exploit that bypasses restrictions by eBay on how it handles hosted JavaScript within its listings.
Using JSF**K, attackers can bypass this safeguard and run malicious code that targets eBay’s users.
http://blog.checkpoint.com/2016/02/02/ebay-platform-exposed-to-severe-vulnerability/
In mid-December, researchers at security firm Check Point Software reported a security vulnerability to EBay. This vulnerability is an appropriately-named (JSF**K) exploit that bypasses restrictions by eBay on how it handles hosted JavaScript within its listings.
Using JSF**K, attackers can bypass this safeguard and run malicious code that targets eBay’s users.
http://blog.checkpoint.com/2016/02/02/ebay-platform-exposed-to-severe-vulnerability/
To exploit this vulnerability, all an attacker needs to do is create an online eBay store. In his store details, he posts a maliciously crafted item description. eBay prevents users from including scripts or iFrames by filtering out those HTML tags. However, by using JSF**k, the attacker is able to create a code that will load an additional JS code from his server. This allows the attacker to insert a remote controllable JavaScript that he can adjust to, for example, create multiple payloads for a different user agent.
Comments