Unpatched eBay vulnerability leaves shoppers at risk of downloading malware
Be extra careful the next time you visit a suspicious-looking eBay store page.
According to Help Net Security, researchers from the Check Point security firm have discovered a vulnerability in the eBay platform that allows criminals to distribute malware by bypassing the site’s code validation process and control the code themselves.
MUST SEE: 15 paid iPhone apps on sale for free right now
Here’s how it works: an attacker sets up a store page with listings for products. On the page, a pop-up message will appear telling customers that they can receive a limited-time discount if they download the eBay mobile app. By clicking the download button, the user will unknowingly download the code and put their device at risk.
Here’s a video of the attack in action:
“The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to a very attractive product to execute the attack. The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user’s account,” said Oded Vanunu, Security Research Group Manager at Check Point.
Although Check Point made eBay aware of the vulnerability on December 15th, 2015, the company apparently responded on January 16th saying that it had no plans to fix the flaw. Thankfully, it’s relatively easy to avoid if you’re on the lookout.
Related stories
Use this clever eBay shopping hack to see deals most searches won't find
eBay's Cyber Monday announced - great deals on laptops, cameras and Apple Watch
eBay's Black Friday 2015 sale is now live
More from BGR: Where to sit on an airplane to avoid being killed on impact
This article was originally published on BGR.com
