When a third-party researcher uncovers evidence of a high-profile security bug that puts consumers’ account information at risk, the company in question rushes to the rescue with patches, updates and press releases. However, when researchers from security startup Check Point Software notified eBay of a potentially crippling malware protection flaw, they were surprised to hear radio silence.
That’s the story from Oded Vanunu, a researcher with Check Point who first noticed a bug in eBay’s JavaScript code policies. The flaw allows users to embed their own executable JavaScript code on pages to phish account information away from legitimate users. While users still have to give initial access to the phishing code, once it’s in, it can trawl everything in a user’s account.
Ars Technica reported that Vanunu and Check Point claim that they originally contacted eBay in mid-December about the flaw, but it wasn’t until Jan. 16 that they heard back. The news was surprising; eBay said it wouldn’t be issuing a fix for the flaw and provided no reasoning for the inaction.
An eBay spokeswoman reached out to PYMNTS.com and wrote: “It’s important to understand that malicious content on our marketplace is extraordinarily uncommon — we estimate it to be less than two listings per million that use active content on the eBay marketplace.”
“eBay is committed to providing a safe and secure marketplace for our millions of customers around the world,” the spokesperson told PYMNTS. “We take reported security issues very seriously and work quickly to evaluate them within the context of our entire security infrastructure. We have not found any fraudulent activity stemming from this incident.”
There is some speculation that eBay’s reluctance to fix the bug could be tied to overall site performance. If adjusting the JavaScript bug causes additional problems across the eMarketplace, eBay might find the cure to be worse than the disease.