eBay bug lets hackers embed malicious code into auction pages

The codes can ask users to download and install malware.

Security firm Check Point Software has discovered an eBay vulnerability that gives attackers a way to use the website to phish unsuspecting users or to infect their devices. So long as attackers use a programming technique known as JSFUCK, they can bypass a key restriction that prevents people from embedding JavaScript codes into auction pages. Those codes will run when the page is opened on either a mobile or a desktop browser. In the video below, for instance, someone sent an eBay link to a mobile user, who was then prompted to install a malware masquerading as a "discount app" upon viewing the item's details.

According to Check Point Software's blog post, the firm notified eBay of the flaw back in December, but the company said it didn't have plans to fix the vulnerability. eBay told Ars Technica, however, that it's been in touch with Check Point Software and that it has "implemented various security filters" based on its findings. The marketplace also added that it hasn't detected any fraudulent activity that takes advantage of the bug yet:

Since we allow active content on our site it's important to understand that malicious content on our marketplace is extraordinarily uncommon, which we estimate to be less than two listings per million that use active content on the eBay marketplace.

Still, in case you come across an auction page that asks you to install or download anything, don't forget this flaw and make sure to click Cancel.