Check Point alerts eBay to an online sales platform vulnerability which allows cyber criminals to distribute phishing and malware campaigns.

eBay, the online auction and e-commerce giant, has locations in over 30 countries and serves more than 150 million active users worldwide. As a successful company with a massive customer base, it’s no surprise that the corporation has been the target of many cyberattacks.

Check Point has discovered a severe vulnerability in eBay’s online sales platform. This vulnerability allows attackers to bypass eBay’s code validation and control the vulnerable code remotely to execute malicious Java script code on targeted eBay users. If this flaw is left unpatched, eBay’s customers will continue to be exposed to potential phishing attacks and data theft.

An attacker could target eBay users by sending them a legitimate page that contains malicious code. Customers can be tricked into opening the page, and the code will then be executed by the user’s browser or mobile app, leading to multiple ominous scenarios that range from phishing to binary download.

After the flaw was discovered, Check Point disclosed details of the vulnerability to eBay on Dec 15, 2015. However, on January 16, 2016, eBay stated that they have no plans to fix the vulnerability. The exploit Demo is still live.

 

 

 

 

Vulnerability Discovery

Check Point security researcher Roman Zaikin recently discovered a vulnerability that allows attackers to execute malicious code on eBay users’ devices, using a non-standard technique called “JSF**k.” This vulnerability could allow cyber criminals to use eBay as a phishing and malware distribution platform.

To exploit this vulnerability, all an attacker needs to do is create an online eBay store. In his store details, he posts a maliciously crafted item description. eBay prevents users from including scripts or iFrames by filtering out those HTML tags. However, by using JSF**k, the attacker is able to create a code that will load an additional JS code from his server. This allows the attacker to insert a remote controllable JavaScript that he can adjust to, for example, create multiple payloads for a different user agent.

eBay performs simple verification, but only strips alpha-numeric characters from inside the script tags. The JSF**k technique allows the attackers to get around this protection by using a very limited and reduced number of characters.

This is what you get if you include your remote website JavaScript:

pic 1

 
This is how a simple JSF**k script looks:

pic 2

 
This is how a successful exploitation of the vulnerability would look:

pic 3

 

As shown, the message which appears on eBay’s website application (specifically, on the attacker’s store on the eBay site) entices the unsuspecting user into downloading a new eBay mobile application by offering a one-time discount.

For example, if a user taps the `download` button, he will unknowingly download a malicious application to his mobile device.

 

Check Point Says…

“The eBay attack flow provides cybercriminals with a very easy way to target users: sending a link to a very attractive product to execute the attack. The main threat is spreading malware and stealing private information. Another threat is that an attacker could have an alternate login option pop up via Gmail or Facebook and hijack the user’s account,” said Oded Vanunu, Security Research Group Manager at Check Point. “Check Point continues to be on the lookout for vulnerabilities in common software apps and Internet platforms. By disclosing threats as they are discovered today, we protect the future.”

 

About JSF**k

Written by Martin Kleppe, this technique, which uses non-alphanumeric characters, allows the attacker to bypass IDSsIPSs  and WAFs payload sanitation. Only 6 different characters are used: []()!+

The following basic vocabulary helps us write anything we need:

  1. [ and ] – Access array elements, objects properties, get numbers and cast elements to strings.
  2. ( and ) – Call functions and avoid parsing errors.
  3. + – Append strings, sum and cast elements to numbers.
  4. ! – Cast elements to Booleans.

 

How the Logic Works

Let’s start by representing numbers using this technique. If you want to get 0, it’s written as +[]:

pic 4

This works because we print the first value from an empty list, so it is zero.

According to our basic vocabulary, if you want to cast that to Boolean values “true” or “false”, we just add an exclamation point “!”:

pic 5

If we cast “true” to an integer, we get the number 1.

To cast the Booleans to integers, all we do is to add +. If we want strings, we add +[], as in the following:

pic 6

As you can see, the logic is very simple. If we want to combine them to get bigger numbers such as 123, we just write the number 1,2,3 as strings and translate it to an integer. We can write any integer we like with this technique.

pic 7

To get characters, we write the same symbols and use the output as an array, as in the following:

  • True – Obtained from !![]
  • False – Obtained from ![]
  • NaN – Obtained from cast an object to number: +{}
  • “[object Object]” – Obtained from  []+{}
  • Undefined – Obtained by accessing a non-existing element to an array: [][+[]]

Using the symbols, we get these characters: “a”, “b”, “c”, “d”, “e”, “f”, “i”, “j”, “l”, “n”, “N”, “o”, “O”, “r”, “s”, “t” and “u”.

Playing with our alphabet and these strings, we can get the following functions:

  • Function from array[“sort”][“constructor”]
  • Array from array[“constructor”]
  • Boolean from false[“constructor”]
  • Number from 0[“constructor”]
  • Object from {}[“constructor”]
  • String from string[“constructor”]
  • prototype.call from f[“call”]
  • prototype.concat from string[“concat”]
  • prototype.join from array[“join”]
  • prototype.slice from array[“slice”]
  • prototype.sort from array[“sort”]

Exploring the DOM helps us get the rest of the characters, such as:

Function(“return location”)() gives us “h”, “p”, “/”, so we can now create a word.

Unescape(“%” + HEXA_ASCII_VALUE) – We are missing the character %, but can obtain it by escaping “[“. This gives us the output %5B.

pic 8

The following code represents the text alert(1) within JavaScript tags:

pic 9

The result is normal JavaScript code with 6 non-alphabetic characters.

 

 

Responsible Disclosure and eBay’s Response

Our initial report was on December 15th, followed by a PoC (proof of concept) and a description of the vulnerability details.

Apparently, someone in eBay decided that this is not vulnerability, as they allow active content?

Let’s go back to the topic of active content. Yes, eBay does allow active content but it has a very strict policy to control what it does allow (for obvious reasons).

pic 9

As we demonstrated to the eBay security team in the PoC, we were able to bypass their security policies and insert a malicious code to our seller page without any difficulty or restriction.

At this point, all we can do is hope that eBay will eventually decide to do something about this vulnerability.

 


  1. This is an excellent technical description of Javascript obfuscation and how simple whitelisting of HTML and JS tags do not solve the problem. The problem is input validation. JS code in this form should not be accepted as user input text by eBay. This vulnerability is fundamentally contradictory to best practice for web development and web application format.

    In a past life, I was performing this research for many clients on a weekly basis to test web administrators/programmers ability to properly sanitize the user input on their webpages. This brings back memories. Thank you for the excellent read.
    Charlton Jubeark, SE

    • This isn’t text input though. It is limited HTML to be displayed in an iFrame on eBays site. So treating it as text and stripping everything does not accomplish the same thing.

  2. ebaystolemyusername says:

    I’ve just had a call from eBay (who opened the conversation saying that the call was being recorded his end) and had my account suspended for “Unauthorised Penetration Testing” :D
    What is frustrating is the guy I spoke to was fairly decent and seemed to essentially say that I’m on their naughty list but my account will be left alone unless I continued to test. But he suspended my account when I stated that I was also recording the call my end (all my calls are) and asked if he minded if I published the call.

    Looks like I’m unlikely to get my account back (impossible to inbound-call the department that called me) – so if checkpoint would like it – you are welcome to a copy of the call.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Please complete the equation to verify your submission. * Time limit is exhausted. Please reload the CAPTCHA.