Earlier this week Check Point announced a significant code injection vulnerability on eBay’s website. This attack vector, known as JSF**K, can be exploited to inject JavaScript code into improperly protected websites, exposing users to a variety of phishing/malware attacks. Check Point notified eBay of this vulnerability more than a month ago, and, after receiving a response from eBay stating they had no plans to fix the issue, published it in order to warn users.
The JSF**K attack vector is an advanced form of JavaScript injection which uses only 6 different characters: (, ), [, ], ! and +. The limited number of characters allows the code to go unnoticed by some Web Application Firewalls (WAFs), while allowing the attacker to write software which compromises the website.
Despite it being a more advanced injection attack, it is one that has been known for some time now (for example, our clients have been protected against JSF**K since we first rolled out). But, eBay did not protect against it in one (known) part of its website. As such, eBay’s decision to not act upon Check Point’s warning, while quite surprising, does shed some light on the difficulties companies are facing, even the largest ones, in maintaining a strong and up to date Web Application Firewall (WAF) to protect their websites and users.
Maintaining the protection of a website becomes a significant challenge as a company grows and the responsibility is distributed amongst individual developers/security experts. The cliché that “a chain is only as strong as its weakest link” takes on a very real and dangerous meaning as each developer is required to keep up with the fast changing landscape of security threats.
Moreover, reacting to changes becomes an increasingly difficult problem when new threats are discovered, and patches need to be quickly deployed across all assets. This challenge is amplified when the complexity of the code base/infrastructure grows and development resources are stretched.
As Reblaze customers know, it is these difficulties (and more) that Reblaze’s service so elegantly solves. By centralizing the protection of a website and placing it in the hands of a dedicated service, with a team of security specialists, you can be assured that you are always protected against the latest threats.
