If you’re a user of eBay you may want to be extra cautious the next time you visit an eBay store page after researchers from Check Point security firm discovered a vulnerability that allows criminals to bypass the site’s code validation process and control the code themselves.
Once the attackers bypass the validation process they are able to distribute malware, to do this the attacker sets up a store page with listings for products. On the page, a pop-up message will appear telling customers that they can receive a limited-time discount if they download the eBay mobile app.
Users who click the download button are actually unknowingly downloading the code and put their device at risk.
The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user’s account,” said Oded Vanunu, Security Research Group Manager at Check Point.
Although Check Point made eBay aware of the vulnerability on December 15th, 2015, the company apparently responded on January 16th saying that it had no plans to fix the flaw. Thankfully, it’s relatively easy to avoid if you’re on the lookout.