A severe vulnerability, found in eBay online sale platform, could let attackers launch the Phishing Attack against visitors. Spreading across 30 countries and serving around 150 million active users, eBay has earned the crown of kings in the e-commerce platform. As a successful company, it is no surprise that it has been the target of many attackers. It is discovered that an eBay visitor can be tricked easily by bypassing eBay’s code validation and execute malicious Java script code on target eBay users. 

How a visitor can be Tricked: It is very simple to trick visitors through this vulnerability. An Attacker can send a legitimate page that contains malicious code to the target users, and users can be tricked into opening the malicious page. That page triggers the code execution that leads to various attacks starting from Phishing to binary download.

This vulnerability is exposed by a security researcher of Check Point who states “This vulnerability allows attackers to bypass eBay’s code validation and control the vulnerable code remotely to execute malicious Java script code on targeted eBay users. If this flaw is left unpatched, eBay’s customers will continue to be exposed to potential phishing attacks and data theft.”

JSF**k Technique: This is an esoteric and educational programming style that’s based on the atomic parts of JavaScript which uses only six different characters to execute the code. An attacker can use this technique in the description to pull the code. While eBay denies users from including scripts and iFrames in the descriptions by filtering out HTML tags, the validation mechanism fails to validate in the presence of JSF**k code. This technique can bypass the various intrusion prevention systems and web application firewalls with the help of different characters to execute code.

This flaw provides cyber criminals an easiest way to exploit the users sending a link to an attractive product to execute the attack. The attack aims to spread the malware and steal the private information of users. In addition, an attacker could create an alternate login option pop up via Gmail or Facebook and take over the user’s account.

If you scroll down only ten pages, you will find hundred of cyber threats happening every day, especially, e-commerce companies face these problems due to various known or unknown vulnerabilities. Do scan your websites to know the vulnerability and patch it as soon as possible to avoid the cyber threats.