A major flaw on eBay's online sales platform is being used to target customers with malware across Android, iOS and Windows devices, but eBay has said that it has no intention of fixing the vulnerability.
Security company Check Point uncovered evidence of the flaw last year. It involves exploiting the ‘active content’ capability of eBay that is mostly used for nothing more than adding basic HTML on seller pages to emphasis text.
eBay has a filter in place to ensure that sellers do not use anything more complex than this, such as JavaScript or iFrames, so that pop-ups and app download prompts cannot run, whether on Android, iOS or Windows machines.
However, Check Point discovered that using a version of JavaScript termed JSF**K, cyber crooks are able to bypass these filters and trick users into downloading malicious apps, or present pop-up boxes asking for information.
The video below shows the attack in action on an iPhone, tricking the user into downloading a malicious app.
