It seems that eBay has no plan to fix a serious vulnerability that allows an attackerto use trusted certificates of external site to distribute malicious software andphishing pages. The bug was discovered by Check Point and allows hackers to bypass service authentication code and check the part of vulnerable coderemotely to run malicious Java script against the same eBay members.
eBay, we know everyone, is one of the bigger sites and famous in the world ofonline auctions and e-commerce. Has offices in more than 30 countries and isused by over 150 million users. Because of its broadcast portal has been the victim of numerous attacks over time, but without a solution to the currentproblem all customers will continue to be exposed to potential phishing attacksand data theft, according to the declarations of the security company.
"An attack against eBay users could take place by sending a legitimate page thatcontains malicious code," writes Check Point. "Customers could be tricked andconvinced to open the page, and then the code will be executed by the browseror the user's mobile app, causing several disturbing scenarios, ranging from phishing to download twofold." Arstechnica has explained in detail the operation of the bug and how it can be exploited.
The vulnerability allows you to work around a limitation of eBay that preventsusers from posting JavaScript code that can be run on the devices. To work around the restrictions imposed by eBay you have to use a technique known as"highly specialized" JSFUCK, with which they can be targeted for specific browser on equally specific devices. Check Point has notified the details of the bug lastDecember 15, but after a month eBay responded was not interested to remedy the flaw presented on the site.
The company stresses that the security hole is never been tapped and that over time have been implemented some specific filters for detection of an attempt toexploit the bug. Through an exchange of e-mails with the u.s. site, eBay gives users the experience of use of the service is not undermined by any security concerns, with the release of a fix that might impair functionality or even force you to delete some options now present on the service.
No comments:
Post a Comment