Security & Fraud

Why eBay Isn't Fixing Its Latest Security Problem

When a third-party researcher uncovers evidence of a high-profile security bug that puts consumers' account information at risk, the company in question rushes to the rescue with patches, updates and press releases. However, when researchers from security startup Check Point Software notified eBay of a potentially crippling malware protection flaw, they were surprised to hear radio silence.

That's the story from Oded Vanunu, a researcher with Check Point who first noticed a bug in eBay's JavaScript code policies. The flaw allows users to embed their own executable JavaScript code on pages to phish account information away from legitimate users. While users still have to give initial access to the phishing code, once it's in, it can trawl everything in a user's account.

Ars Technica reported that Vanunu and Check Point claim that they originally contacted eBay in mid-December about the flaw, but it wasn't until Jan. 16 that they heard back. The news was surprising; eBay said it wouldn't be issuing a fix for the flaw and provided no reasoning for the inaction.

An eBay spokeswoman reached out to and wrote: “It's important to understand that malicious content on our marketplace is extraordinarily uncommon — we estimate it to be less than two listings per million that use active content on the eBay marketplace."

"eBay is committed to providing a safe and secure marketplace for our millions of customers around the world," the spokesperson told PYMNTS. "We take reported security issues very seriously and work quickly to evaluate them within the context of our entire security infrastructure. We have not found any fraudulent activity stemming from this incident.”

There is some speculation that eBay's reluctance to fix the bug could be tied to overall site performance. If adjusting the JavaScript bug causes additional problems across the eMarketplace, eBay might find the cure to be worse than the disease.



The How We Shop Report, a PYMNTS collaboration with PayPal, aims to understand how consumers of all ages and incomes are shifting to shopping and paying online in the midst of the COVID-19 pandemic. Our research builds on a series of studies conducted since March, surveying more than 16,000 consumers on how their shopping habits and payments preferences are changing as the crisis continues. This report focuses on our latest survey of 2,163 respondents and examines how their increased appetite for online commerce and digital touchless methods, such as QR codes, contactless cards and digital wallets, is poised to shape the post-pandemic economy.