Security researchers have alerted eBay's staff about a vulnerability in its online platform that lets attackers launch phishing sites and push malware to the site's visitors using a JavaScript library called JSF**k.
JSF**k is a for-fun project put together by Martin Kleppe. The library abstracts some of JavaScript's core operations to a series of six characters. Developers can use [, ], (, ), !, and + to write fully-functional JavaScript code. The code can be quite lengthy, but it will execute in any browser.
Attacks are carried out via user-created eBay stores
Check Point's Roman Zaikin has discovered that attackers can create their own eBay stores and use each product's "Item description" field to host malicious JavaScript code in JSF**k syntax.
Since this issue was discovered on December 15, 2015, and on January 16, 2016, eBay's developers said they won't fix it, Check Point's staff did not reveal in their
vulnerability disclosure how did they managed to load the JSF**k library on the eBay store.
