eBay Inc. (NASDAQ:EBAY) is one of the largest online marketplaces, which makes it an ideal target for hackers. It is also monitored heavily by online security companies looking to detect malware.
Last year, security firm Check Point discovered evidence of a security defect on the platform, which sends malware to eBay users that access the site using Windows, iOS, and Android devices. However, eBay said it has no plans to fix the vulnerability.
The security defect exploits the ‘active content’ feature of eBay mostly used by sellers to add basic HTML on their pages to emphasize text.
Flaw Spares no OS
What is baffling about this security flaw is the fact that it poses a threat to Apple rigorous app review process that normally detects such threats before they are allowed to run on iOS.
The crooks in question have bypassed this stringent app vetting process by having false mobile phone management credentials, which allows them to send apps to user devices upon request.
“Anyone can open an online store but usually once you open it you are very restricted with the functions you can use,” said Oded Vanunu, top security researcher at Check Point. “However, with JSF**K we found that the eBay infrastructure is blind to this so cyber criminals can bypass the filter and redirect users to their malicious servers.”
Mr. Vanunu has in the past detected security flaws that affect software firms such as Google, Apple and WhatsApp.
eBay Inc. (NASDAQ:EBAY) should move with speed to tackle this flaw as hackers can plant malware on user devices and collect useful information that can be used in phishing scams.
eBay Still Reluctant
This seems a long shot, considering Check Point alerted eBay of the issue in December, which in turn refused to plug the leak as it has no plans to do away with the ‘active content’ feature.
eBay refused to fix the problem saying it has its own methods of preventing the threat, though Check Point said such methods can be easily bypassed.
When requested for a comment, eBay gave a standard response, so I leave it up to you to guess whether any action will be taken.
“As a company, we’re committed to providing a safe and secure marketplace for our millions of customers around the world,” the firm responded to our email.”We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure.”