A major flaw on eBay’s online sales platform is being used to target customers with malware across Android, iOS and Windows devices, but eBay has said that it has no intention of fixing the vulnerability.
Security company Check Point uncovered evidence of the flaw last year. It involves exploiting the ‘active content’ capability of eBay that is mostly used for nothing more than adding basic HTML on seller pages to emphasis text.

eBay has a filter in place to ensure that sellers do not use anything more complex than this, such as JavaScript or iFrames, so that pop-ups and app download prompts cannot run, whether on Android, iOS or Windows machines.
However, Check Point discovered that using a version of JavaScript termed JSF**K, cyber crooks are able to bypass these filters and trick users into downloading malicious apps, or present pop-up boxes asking for information.
The video below shows the attack in action on an iPhone, tricking the user into downloading a malicious app.
[youtube https://www.youtube.com/watch?v=m4vJxsoYGhY]
The fact that iOS users are at risk is particularly notable, as Apple’s stringent app vetting process usually stops this kind of threat.
However, Check Point explained that the crooks appear to have fraudulent mobile device management credentials, allowing them to push apps to devices when a request is received.
Oded Vanunu, security research group manager at Check Point, who has previously uncovered flaws affecting Apple, WhatsApp and Google, told V3 that the flaw is surprisingly basic.
“Anyone can open an online store but usually once you open it you are very restricted with the functions you can use,” he said.
“However, with JSF**K we found that the eBay infrastructure is blind to this so cyber criminals can bypass the filter and redirect users to their malicious servers.”
This is a veritable gold mine for crooks as it allows them to infect user devices and gather information that could be used for phishing scams.
Worryingly, considering the scale of the risk, Check Point informed eBay of the problem in December and was told in January that eBay will not fix the problem as it wishes to keep the active content capability.
“I must say I was disappointed by their handling of this. We provided them with the entire back story and proof-of-concept, but based on their feedback they’ve just said: ‘Thanks, but we allow active content,” Vanunu said.
“We said: ‘That’s OK but your filters are being bypassed by this JSF**K language that they are blind to.’ But it still hasn’t been fixed.”
V3 contacted eBay for a statement on the situation and received a fairly stock response that made no direct reference to the vulnerability or whether it would be fixed.
“As a company, we’re committed to providing a safe and secure marketplace for our millions of customers around the world,” the firm said in a statement.
“We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure.”