Cape Town – A security company has identified a vulnerability in e-commerce site eBay which could leave customers exposed to phishing attacks.
Check Point on Friday announced that it had discovered a flaw that allows attackers to bypass the trading site’s validation and control. This could leave customer computers exposed to malicious Java code.
“If this flaw is left unpatched, eBay’s customers will continue to be exposed to potential phishing attacks and data theft. An attacker could target eBay users by sending them a legitimate page that contains malicious code,” Check Point said in a statement.
“Customers can be tricked into opening the page, and the code will then be executed by the user’s browser or mobile app, leading to multiple ominous scenarios that range from phishing to binary download.”
The company had reported the flaw to eBay in December 2015, but said that the exploit is still live on the platform.
Multiple media reports indicate that the company has no plans to repair the vulnerability.
The massive online trading site had around 164 million users at the end of 2015 and the malicious attack dubbed “JSF**k” allows cyber crooks to use the platform as a phishing and malware distribution platform, said Check Point.
“The eBay attack flow provides cyber criminals with a very easy way to target users: Sending a link to a very attractive product to execute the attack,” said Oded Vanunu, Security Research Group manager at Check Point.
“The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user’s account.”
- Follow Duncan on Twitter