Click to Skip Ad
Closing in...

Unpatched eBay vulnerability leaves shoppers at risk of downloading malware

Published Feb 3rd, 2016 9:45PM EST
eBay Malware Vulnerability
Image: eBay Inc.

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

Be extra careful the next time you visit a suspicious-looking eBay store page.

According to Help Net Security, researchers from the Check Point security firm have discovered a vulnerability in the eBay platform that allows criminals to distribute malware by bypassing the site’s code validation process and control the code themselves.

MUST SEE: 15 paid iPhone apps on sale for free right now

Here’s how it works: an attacker sets up a store page with listings for products. On the page, a pop-up message will appear telling customers that they can receive a limited-time discount if they download the eBay mobile app. By clicking the download button, the user will unknowingly download the code and put their device at risk.

Here’s a video of the attack in action:

“The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to a very attractive product to execute the attack. The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user’s account,” said Oded Vanunu, Security Research Group Manager at Check Point.

Although Check Point made eBay aware of the vulnerability on December 15th, 2015, the company apparently responded on January 16th saying that it had no plans to fix the flaw. Thankfully, it’s relatively easy to avoid if you’re on the lookout.

Jacob Siegal
Jacob Siegal Associate Editor

Jacob Siegal is Associate Editor at BGR, having joined the news team in 2013. He has over a decade of professional writing and editing experience, and helps to lead our technology and entertainment product launch and movie release coverage.