eBay knows there’s a horrible malware vulnerability in its code but hasn’t fixed it

There’s bad news and worse news for frequent bidders on eBay. The bad news is that the platform has a severe flaw that could allow through malicious attacks. The worse news? eBay reportedly knows about this flaw but won’t fix the issue.

The report of the issue came on Monday from Israeli security firm Check Point. According to the company, the vulnerability makes it possible for attackers to bypass eBay’s code validation process and remotely execute malicious code targeted toward eBay users. 

The nature of this type of attack attack would leave users exposed to a considerable amount of potential harm, ranging from phishing attempts to data theft and stealth installations of ransomware downloads.

Check Point discovered the flaw on  December 15, 2015 and reported it to eBay. On January 16, 2016, eBay reported back to the security outfit that it had no plans to address the vulnerability. As of yesterday’s blog post made by Check Point, the flaw was still live on eBay’s site. 

Videos uploaded by Check Point appear to show the exploit in action.


In a statement to the Daily Dot, an eBay spokesperson said, “We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure. We have not found any fraudulent activity stemming from this incident.”

According to the spokesperson, eBay has been in touch with the researcher who spotted the issue and has “implemented various security filters based on his findings to detect this exploit.”

In the fourth quarter of 2015, eBay reported over 162 million active users on its platform. The spokesperson insisted on the company’s commitment to “providing a safe and secure marketplace.”

“Since we allow active content on our site it’s important to understand that malicious content on our marketplace is extraordinarily uncommon, which we estimate to be less than two listings per million that use active content on the eBay marketplace,” the spokesperson explained.

H/T ZDNet | Photo via Kazuhisa OTSUBO/Flickr (CC BY 2.0)

AJ Dellinger

AJ Dellinger

AJ Dellinger is a seasoned technology writer whose work has appeared in Digital Trends, International Business Times, and Newsweek. In 2018, he joined Gizmodo as the nights and weekend editor.