Sunday 21 February 2016

Even After Patching, Attackers Found A Different Way To Exploit eBay Users

Even After Patching, Attackers Found A Different Way To Exploit eBay Users 

Two weeks ago, the Cybersecurity firm Checkpoint has discovered the JSF*** XSS bug. Now JSF*** XSS bug is being used in real-world attacks on the platform of eBay, even when the eBay had already neutralized it.

Few years back Martin Kleppe started the JSF*** which comes under an educational project. The purpose of starting it is to manage most of the narrow down JavaScript syntax into a combination of characters like: [, ], (, ), ! and +.

An attacker can easily hide their code into the JSF*** through the regular javaScript syntax, and then after it is being inserted into the product description field by them. This thing is discovered by the Check Point security researchers during the creation of an eBay store.

Is JSF*** XSS bug is hard to detect?

JSF*** XSS bugs are really very difficult to detect because it has a non-standard character set. JSF*** XSS bug stored in the product's description by passing through the eBay's XSS filter. And the malicious code in product page will get executed once when the user's access the product page, right on the eBay store.

Most of the users arrive there because of many reasons:

>> By clicking on actual links.
>> Most of them had their guard down.

This JSF*** XSS bug firstly launched on main domain of eBay.

The previous fix of eBay was not sufficient:

Previously when this bug came, eBay refused to patch the issue, but because of pressure from InfoSec community, eBay had released a partial fix which is not that much effective according to the firm Netcraft (a security and monitoring firm). They have observed the real world instances where the eBay visitors have been affected by this bug.

According to the firm Netcraft "in order to create malicious product listening for vehicles, user's accounts have been compromised by the hackers, almost all accounts are of eBay users, and because of having legitimate activities in their profile they are hard to detect,"

Curiously, the crooks employing JSF*** aren't stealing eBay passwords

"Not only is it rather cleverly launched from the legitimate eBay site, and uses randomly-named files that are deleted to evade detection, but it also tries to avoid leaving any evidence in eBay's server logs," Netcraft researchers noted about this most recent campaign that employs JSF***.

Only the email addresses have been stolen by this phishing campaign, not any password. Because through the escrow service, payment link is sent to the user through an email along with the address and they are using the user's interest in the eBay product. Once the customer initiates a payment link, the crooks will keep all the money.


Post a Comment

Note: only a member of this blog may post a comment.

Toggle Footer