BBC Reports on Security Flaw Gives eBay Black Eye

by: Ming the Merciless

It'a good to see that the beeb has more cojones than American networks that cower in the presence of His Corporateness.

Ebay doesn't are who gets hurt as long as it isn't them.

The arrogance and contemptible behavior has no end.

by: Philip Cohen

"... However, we are aware that active content may also be used in abusive ways. Cross-site scripting is not allowed on eBay and we have a range of security features designed to detect and then remove listings containing malicious code."

Fortunately, it’s very easy for anyone to tell when an eBay or "PreyPal" spokesperson is being disingenuous—their lips are moving! ... http://bit.ly/11F2eas

by: P.Dorf

ah, those same security features designed to protect user information...look at capps youtube vids (& elsewhere)to see this xss flaw has been going on for YEARS!

by: maxmad

it has gone on for quite a while, we have experienced many times, where our real-time virus protection halted an ebay page, from loading for virus warnings,

They have caused us much grief, as we would have to then bring our business to a stop, take al our pc's offline,  do Full scans of our computers and network data, and to determine the damage and clean the malicious code / virus.

Ebay is full of crap, a disgraceful poorly programmed and not to be trusted entity .

 

by: maxmad

FYI the last time this happened to us, (about a month ago ) the malicious code was embedded in an ebay guide, not a listing,  

by: Russ

A related article referencing the BBC appears on Engadget.  Written by Sean Buckley, his article refers to listings for used iPhones with re-directs to bogus eBay log-in pages...a nice tie-in to their TV ad campaign for that  $100 coupon if your phone doesn't sell.

Interestingly, when I clicked on the author's bio, there was a banner ad above the bio for eBay vs Verizon and how selling your phone on eBay could result in $150.00 more than if traded via Verizon...too much!

Come on down to the ''bay'' because the ''phising'' is great!

by: brokentoys19

Let me reiterate from another post here. This has been going on, and they have known about (and dismissed) it since 1999!

(Internet Archives)
"Web Application Security Consortium - Web hacking Incidents Database (WHID) - View Incident By ID

WHID 1999-1: eBay downplays security hole
Reported: 04 April 2006
Occurred: 19 April 1999

Classifications:

  Attack Method: Cross Site Scripting (XSS)
  Country: USA
  Outcome: Disclosure Only

A very early XSS issue at eBay. Interesting historically as it seems that at the time the term XSS was not yet in use.

References:

  eBay downplays security hole
  News Story, CNet, 19 April 1999
  'EBayla' Bug Strikes eBay
  News Story, Wired, 19 April 1999
  The Ebayla Bug And How To Protect Yourself
  Advisory, Because We Can (Miror), 21 April 1999

http://bit.ly/1DozDYg


Also see this and the infos in the description there:
http://youtu.be/Mb8UcBfvU6o and/or search youtube for ebay xss to see countless other live examples from all kinds of v-bloggers.


Ridiculous! The most rinky-dink forums, free email service, blog comments areas etc all strip javascripting (and/or other active content) from user generated content. Ebay should too, the risk far outweighs whatever perceived advantages are. But then again, hacking and ID theft victims are just noise.

One can be glad they are not in the child care business. They would argue that leaving your kids in a hot car to die is somehow acceptable.

by: DingDong

Thank you BBC for pointing and stating this in public. I guess eBay hasn't paid off that government where in the USA the government poo poos it.

by: brokentoys19

from the bbc article:
She [ebay spokesperson] added: "Cross-site scripting is not allowed on eBay and we have a range of security features designed to detect and then remove listings containing malicious code."

This is another example of doubletalk lies. They don't allow counterfeit either, but they just partnered with China knockoff manufacturers to flood the site with fake vintage goods.

They allow if not sanction whatever they can profit from, laws, morality, common decency be damned.

Burn down the house of ebay!

by: OnlyPollyPocket

When I was a little girl, my grandma said ''protect your reputation at all costs; once lost it is nearly impossible to recover.''  Guess ebay didn't have a grandma ;)

Almost without exception, when I mention that I sell online, I hear ''On ebay?'' coupled with a wrinkling of the nose.

by: Ric

I am amazed that Wall Street analysts continue to speak positively and recommend this IT stock given the massive site vulnerabilities. eBay will do nothing about site security unless the site is attacked or unless their Wall Street Masters demand the company takes swift and definitive action to protect the site.

eBay skimps on site security because site security costs real money to implement and eBay wants to show Wall Street profits which are not depleted by such mundane things as expensive costs related to site security.

eBay is so busy trying to please their Wall Street Masters financial expectations, that unless and until there is a problem, eBay will not address it since eBay applies band aids to security issues and does not take the time or dedicate the funds to actually upgrade security on the site.

Since Wall Street actually dictates how eBay spends their money, it is time that Wall Street demands an IT company like eBay make real and significant improvements to address all aspects of site security.  

by: InternetCarScams

Nothing new. XSS redirects have been going on since 2006 that i know of. The older ones used flash that may still be in use.

I produced this screen video in February this year, and used a Firefox plugin "no-script" to disable "JavaScript" and show the line of code that was redirecting the shopper elsewhere.

This was on eBay Motors UK. The motors site was infested with pages of redirects. http://wp.me/p4zfF4-2tw

by: Anonymous Annie

These are probably the same programmers who thought it was a good idea to prohibit the word ''cookie'' from being used in a listing.

See: http://tinyurl.com/qdho6y3

or

http://www.ecommercebytes.
com/C/letters/blog.pl?/pl/2012/5/1337096576.html

Apparently, because they were under the myopic impression that ANY use of the word ''cookie'' was some sort of attempt to read, or place, cookies in the buyer's web browser.

by: Santini

I remember, long, long before I had any dealings with ebay when I heard the company was going public, I thought it could no longer be the described "community" of sellers and buyers as it was back in the day. It would be forced to become the quarterly report driven servant of the wall street "community".

by: WhatsUp2656

@Ming. I would love to connect with you and I'm not sure if that is possible. I realize and understand fully your rightful anger.

by: brokentoys19

Paul Kerr, the person who posted the latest video
http://youtu.be/WT5TG_LvZz4

Reports finding another one, right under ebay's nose! [facepalm]

The link to a search for it is there  in comments, a mile long. (item #111468228887) , redirects to trans-insular.com. The page has been taken down, but the active listing is still present upon ebay, redirect from ebay persists

by: brokentoys19

Seller funnycat737, most likely hijacked account, shows 2 of the listings.

http://www.ebay.co.uk/sch/funnycat737/m.html

Great work ebay!  What was that you were saying about cross scripting not being allowed?  

by: The End

Black Eye ? We LOVE when that happens  :o)
All Ebay has to do is :
Remove ALL links to NON-EV SSL sites and the problem is SOLVED.
Of course they Could also make a filter to detect the XSS java script in the listings.
But they're too busy using the filter that detects the words MONEY ORDER, CHECK, & NO PAYPAL.
Morons in charge.
Hey Jack ! Take Ebay over !

by: brokentoys19

Re: " But they're too busy using the filter that detects the words MONEY ORDER, CHECK, & NO PAYPAL. "

Exactly! Makes me believe they must have found a way to monetize those listings. Because everything else goes POOF! in a heartbeat.

Paul Kerr also found others and has since posted another video

"ebay hacked again . 19/1/14 3nd night .... wow i would think they would have fixed this "

http://youtu.be/moyQxPQ9pJg

by: Puck

I was listing some unsold retread auctions yesterday through SYI Sell Similar.

On the review listing window I was prompted to sign into my account with what appeared to be the regular eBay log in page.

I just dumped the listings and moved on.