Researcher: eBay isn’t addressing security flaw

According to a Check Point researcher, eBay is aware of a flaw involving JavaScript code, but it just doesn’t plan to do anything about it. Find out what it means for your company. 

The researcher found that a vulnerability “allows attackers to bypass eBay’s code validation and control the vulnerable code remotely to execute malicious Java script code on targeted eBay users.”

Essentially, this flaw means that an eBay poster could install malicious code that directs a user to, for instance, download malicious applications or reveal their user credentials.

But eBay’s stance on the issue so far is that they have no plans to address the problem.

Bypasses own defenses

eBay does have measures in place to prevent JavaScript insertion, but this attack works around that script.

It’s been posited that the reluctance to fix the error may be due to it possibly interfering with other parts of eBay’s site.

That willingness to risk security rather than dealing with potential glitches can be a dangerous path to tread for companies. While no one wants to find a change interferes with usual operations, leaving a widely known security vulnerability as a result is no long-term solution.

Make sure you have plans for addressing any bugs you discover rather than taking the “devil you know” approach.