Check Point Points Out Security Flaw in eBay

Back in December of 2015, a security company called Check Point took note to inform eBay that the company had in fact discovered a flaw in its active content. Active content of course is the area of the site that allows store owners to offer content to their users such as, pop-ups, and the flaw could potentially allow hackers to trick users into downloading malware. Interestingly however, Check Point recently brought it to the world’s attention, that eBay had replied to their warnings with the fact that they “had no plans to fix the vulnerability”.

Since then however, eBay has stated that they have proceeded in taking action and have partially fixed the vulnerability on the site, making note that they “implemented various security filters based on Check Point’s findings”. eBay also added that, “While not fully patched, given that we allow active content on our marketplace, it’s important to understand that malicious content on our marketplace is extraordinarily uncommon, which we estimate to be less than two listings per million that use active content on the eBay marketplace.” And also noting that eBay takes security “very seriously” however, “we have not found any fraudulent activity stemming from this incident.” If you have any questions regarding the security issue be sure to contact eBay, here is their phone number. Alternatively, you can visit the official Ebay website for a free phone number.

Check Point research manager Oded Vanunu stated that, “This vulnerability allows attackers to bypass eBay’s code validation and control the vulnerable code remotely to execute malicious JavaScript on targeted eBay users. If this flaw is left unpatched, eBay’s customers will continue to be exposed to potential phishing attacks and data theft.” In other words, the vulnerability meant any attacker could set up an eBay store and in turn, insert the malicious code.

At a rampant rate, large corporations are being warned about such related vulnerabilities on their own websites as well. In fact, recently the BBC had reported that a bug was spotted by security researcher Paul Moore, in the Asda website where it had remained live for at least two years! Following the report, the retailer reacted to address and resolve the issue.

One security expert Graham Cluley weighed in on the subject, “Sadly many firms turn a blind eye to security problems on their websites until the media get a whiff that something bad is going on.” He added, “I don’t think it is necessarily the case that websites are more bug-ridden than ever before, but rather that more and more vulnerability researchers are hunting for flaws on popular websites, and knowledge regarding bad practices and sloppy security is growing in the tech community.”

It would most certainly appear that these large corporations need to take resolute action against the protection of not only themselves and their company, but also to the care, consideration and protection of their customers as well; as these security threats are real, malicious and can affect millions of people on a global and financially catastrophic level. In fact, in terms of eBay alone, if that malware had not been caught, or if eBay had simply turned the other cheek and ignored the issue at hand, over 160 million people worldwide would have been affected.