A security vulnerability on eBay could enable hackers to embed malicious code and target buyers and sellers on the popular auction website. The flaw, which remains unpatched, could also make it possible for hackers to send out phishing links containing the malicious code, tricking recipients into believing an infected email was sent by eBay.
Researchers at the Israeli cybersecurity company Check Point first found the bug last year, quietly disclosing the vulnerability to eBay Dec. 15. The company responded Jan. 16 although it still has yet to provide a fix nearly two months after the initial disclosure, the software news site PCI News reported Thursday.
All of eBay's 160 million users could become victims in the attack, Israel's Channel 2 News reported.
“The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to an attractive product to execute the attack,” Oded Vanunu, security research group manager at Check Point, said in a blog post. “The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user's account.”