eBay headquarters San Jose
An eBay sign is seen at an office building in San Jose, California, May 28, 2014. REUTERS/Beck Diefenbach

A security vulnerability on eBay could enable hackers to embed malicious code and target buyers and sellers on the popular auction website. The flaw, which remains unpatched, could also make it possible for hackers to send out phishing links containing the malicious code, tricking recipients into believing an infected email was sent by eBay.

Researchers at the Israeli cybersecurity company Check Point first found the bug last year, quietly disclosing the vulnerability to eBay Dec. 15. The company responded Jan. 16 although it still has yet to provide a fix nearly two months after the initial disclosure, the software news site PCI News reported Thursday.

The vulnerability makes it possible for attackers to subvert eBay's code validation (which is meant to filter out any illegitimate data transfers) and inject malicious JavaScript code. The attack takes place when users are directed to what appears to be a shopping website that actually contains the malicious JavaScript code. From there, the code scans a user's computer for personally identifiable information or unwittingly enlists the machine in a botnet army (used to launch distributed denial-of-service attacks).

All of eBay's 160 million users could become victims in the attack, Israel's Channel 2 News reported.

“The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to an attractive product to execute the attack,” Oded Vanunu, security research group manager at Check Point, said in a blog post. “The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user's account.”

This security disclosure comes after more than 100 sales listings were set up as bait to dupe customers into turning over personal information in September 2014, the BBC reported. Smartphones, televisions and other attractive items were listed for sale to direct customers to the fake page where they were asked to log in with their eBay credentials and share banking information. The e-commerce company was heavily criticized after it released a statement saying it would not suspend use of JavaScript or Flash, the software that made the attack possible.

“Obviously having JavaScript and Flash and all that wonderful stuff is great for the seller,” security researcher Brian Honan told the BBC. “But is exposes eBay and its customers to security risks. Until eBay has the ability to automatically identify malicious links, it should disable JavaScript until they have some way of better controlling the risk. The needs of the many outweigh the needs of the few.”