Security Researcher Found A 'Severe' Vulnerability in eBay

Security Researcher Found A 'Severe' Vulnerability in eBay

A "severe" vulnerability exists in eBay for which they have no plans to patching it. Check Point Software firm Researchers said that "a malicious code and phishing pages can be distributed by the attackers because of this vulnerability and it also allows to bypass a key restriction".

Bypass a key restriction prevents user posts from hosting JavaScript code that gets executed on end-user devices. Scammers allow creating auction pages that are able to execute dangerous code or content whenever unsuspecting users used it, but eBay has already enforced some limitations to prevent it. JSFUCK is a highly specialized coding technique by which hackers can easily work around this safeguard. By using this technique eBay users can easily insert JavaScript into their posts and variety of different payloads will call by it. 

Oded Vanunu (Check Point researcher) wrote in his blog post that "A legitimate page contains malicious code and this page is sent by attackers to target eBay users".
"And when customers opens this page the code will automatically execute on their respective devices by browser or mobile app, an it leads to multiple dangerous scenarios that can worse from phishing to binary download".

In mid-December, this vulnerability has been founded by the Check Point researchers, but till January 16, also eBay officials informed the researchers that they don't have the plans to patch this fix. This post went alive when an e-mail sent to Ars. 

eBay officials wrote: "eBay is committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure. We have not found any fraudulent activity stemming from this incident.”

In the video, some elements of social engineering have been exploited. eBay's user is having a lack of security awarenes and knowledge about the site's walled-garden environment whose goal is to block malicious content. Using the JSFUCK technique Ebay's JavaScript filter can strip out characters to invoke executable code but due to this vulnerability it results in failing. Created by developer Martin Kleppe, By using only different characters to execute code, variety of intrusion prevention systems and Web application firewalls can bypass by JSFUCK technique. As Check Point's Vanunu described:

eBay's reported that this vulnerability will be patch as soon as possible but there is a concern that it will break current features or site functionality.  

Prrof of Concept (POC):