Be extra careful the next time you visit a suspicious-looking eBay store page.
According to Help Net Security, researchers from the Check Point security firm have discovered a vulnerability in the eBay platform that allows criminals to distribute malware by bypassing the site’s code validation process and control the code themselves.
Here’s how it works: an attacker sets up a store page with listings for products. On the page, a pop-up message will appear telling customers that they can receive a limited-time discount if they download the eBay mobile app. By clicking the download button, the user will unknowingly download the code and put their device at risk.
Here’s a video of the attack in action:
“The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to a very attractive product to execute the attack. The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user’s account,” said Oded Vanunu, Security Research Group Manager at Check Point.
Although Check Point made eBay aware of the vulnerability on December 15th, 2015, the company apparently responded on January 16th saying that it had no plans to fix the flaw. Thankfully, it’s relatively easy to avoid if you’re on the lookout.