eBay Flaw Lets Attackers Push Malware and Launch Phishing Sites

Share this…

JSF**k JavaScript library abused to deliver malware.

Security researchers have alerted eBay’s staff about a vulnerability in its online platform that lets attackers launch phishing sites and push malware to the site’s visitors using a JavaScript library called JSF**k.

JSF**k is a for-fun project put together by Martin Kleppe. The library abstracts some of JavaScript’s core operations to a series of six characters. Developers can use [, ], (, ), !, and+ to write fully-functional JavaScript code. The code can be quite lengthy, but it will execute in any browser.

Attacks are carried out via user-created eBay stores

Check Point’s Roman Zaikin has discovered that attackers can create their own eBay stores and use each product’s “Item description” field to host malicious JavaScript code in JSF**k syntax.

Since this issue was discovered on December 15, 2015, and on January 16, 2016, eBay’s developers said they won’t fix it, Check Point’s staff did not reveal in their vulnerability disclosure how did they managed to load the JSF**k library on the eBay store.

What’s known is that the malicious JSF**k code embedded on the store’s product pages, which can be extremely lengthy, can fit in the Item Description field. This allows attackers to craft JavaScript code that’s complex enough to show popup login forms to perform phishing attacks, and even launch file downloads on the user’s PC or mobile.

The JSF**k attack is invisible to eBay’s security system

Since the malicious JSF**k code is only made up of the [, ], (, ), !, and + characters, this attack won’t trigger any of eBay’s XSS and CSRF security protection systems, which don’t check for the presence of any of these items.

Besides creating the malicious code and the eBay store to host it, attackers only need to distribute their store’s links to desired targets.

Check Point provided two proof-of-concept videos to demonstrate their attack.