Following on from the BBC press about eBay XSS vulnerabilities and several hundred listings being identified as phishing directly from the eBay site, we thought we should poll the experts for some opinions.
eBay are caught between a rock and a hard place. On the one hand they could have a blanket ban on all active code such as Flash and Javascript in eBay listings. However if they do would it impact listings? We asked the guys that create more listings than anyone one – the listing designers. We spoke to several eBay specialist listing designers today who’s clients between them have millions of active listings.
How a ban on active code would impact your custom listing design
The designers tell us that Javascript is a requirement if you want to achieve certain dynamic functionality within a listing. For example many eBay designers will be using Javascript to generate a dynamic Shop Category menu within listings.
Many sellers are also calling for responsive listing templates that adapt to tablet and mobile screens – that too heavily relies on Javascript.
Another example of Javascript is to swap the multiple images and super-zoom for the multiple image displays we see on listings.
The designers told us that if eBay did ban Javascript, then yes it may affect these listings so far as functions such images wouldn’t zoom and the menus would not pop-out. On the whole however for many it would not cause the template as such to be non-functional, but only certain advanced features may not work. It would not have an effect that listings would vanish or lose the graphic design component, they would just lose their dynamic components.
Is HTML5 the answer?
The designers tell us that HTML5 is not yet 100% compatible on eBay and even if it was, it would not allow for some of the functionality that you see available in descriptions or shops today. Plus of course HTML5 relies on the user having a bang up to date browser or it simply won’t be supported.
You might think it’s a great way to force users to update their browser, but go to https://html5test.com/ and you’ll find your (hopefully) up to date browser doesn’t fully support HTML5 yet. As for older devices in which we must include internet enabled TVs, Game Consoles and a plethora of smartphones and tablets which can’t be upgraded to the latest versions and you can see it’s a bit of a problem.
In favour of keeping Flash and Javascript
For today’s web we could probably live without Flash, but Javascript is so prevalent that hardly a website out there doesn’t still use it and literally millions of eBay listings rely on it for functionality. Plus of course if eBay was to ban the code, which seller wants to pay the cost of having their listing templates redesigned to HTML5 standards?
Perhaps a solution may be a ban on all active code except that specifically tested and approved by eBay. If they could work with the listing design companies their code could be approved, but of course there are hundreds of smaller companies who’s code could be banned, not to mention the sellers who code their own listings.
In favour of banning Flash and Javascript
Well the BBC of course are in favour of a ban and it would be fair to assume it’s tempting for eBay themselves as banning the code would put an end to the XSS vulnerabilities and the bad press.
eBay do . They say “If you try to use scripts that we disable, you’ll get an error message that says “Disallowed JavaScript/HTML Syntax”. This means you can’t list the item, or the script will be disabled at run-time”. Obviously it’s not working, hackers are ever more ingenious in finding holes and hitherto unknown bugs/undocumented features which enable them to bypass eBay’s attempts to stop them.
Should eBay ban Flash & Javascript
As with anything on the net it’s a race between the hackers and the good guys, but what do you think? Should eBay simply ban all Flash and Javascript (hopefully not before Christmas – no seller has time to redo their listings at this time of year!), or should eBay continue to allow the code and refine their screening process in the knowledge that inevitably a handful of malicious listings will surface from time to time?
13 Responses
I don’t much care what eBay do with flash and javascript (most of which is inserted on the site by eBay themselves to create ‘the experience’).
But what they must do is:
1) restore and maintain a stable trading platform
2) repair the damaged perception in the eyes of all users as to the security of their personal data.
There would appear to be an ongoing credibility gap.
The call to ban these things is shrill and the kind of thing you’d expect from the Daily Mail.
The numbers of compromised listings — the Defect Rate, if you will — is tiny. We’re talking a few hundred listings out of millions.
It’s about the same rate as the amount of fraud on Paypal. Are we suggesting Paypal should be banned from eBay listings? It’s about the same rate as fake tenners. Are we suggesting they should be taken out of circulation?
Just because there are a few bad buildings you don’t tear down and entire city. eBay can police the listings with relative ease, and perhaps — just perhaps — users can grow-up a little and take their own personal responsibility for not entering their passwords into phishing sites.
“Many sellers are also calling for responsive listing templates that adapt to tablet and mobile screens – that too heavily relies on Javascript.” It shouldn’t. Should just be HTML/CSS to do the responsive part.
Anyone who still uses Flash and javascript in this day an age needs to take a modern day basic web design lesson. Buyers are not impressed with your overly garish listing pages with web counters, OTT info and dynamic menus. This isn’t Geocities, you are supposed to be presenting yourself as a professional business.
Doesn’t matter about the defect rate, end of the day it’s not a complicated attack and eBay are currently allowing the phishing of username and passwords direct on their own website and it has been going on since February at the earliest.
Do these shop owners realise that a growing number of people shop primarily from their phones and tablets. I.e. no Flash and basic Javascript functionality, you really should be learning or employing designers that know HTML 5 and other modern standards.
The BBC and the lefties in society annoy me – they have nothing better to write about. There is nothing wrong with ebay, its more about people who are so brain dead they give their passwords away or click on fishing links – they deserve to get their accounts hacked
As a professional software engineer, I have found that the over use of JavaScript and flash annoying and can often breach the security of the client system, it is NOT essential, ans it is also bad manners not to accommodate users that neither want or are unable to run browsers with add ons. Today I have tried many different sites to make a purchase, abandoning each when the page was unusable, I finally made my purchase on one that was client friendly. So who are the losers here? Neither flash or js are essential, just used by lazy or unskilled web designers.
Ebay already block lots of Javascript – for example you cannot directly include external Javascript files.
The problem is that eBay allows obfuscated code, which people like Frooition use to include external files even though it’s not allowed. eBay’s system is either too basic to detect these exploits or we have to assume they condone it because they have allowed companies to do it for years.
Look at the source of a Frootion template, like the Laura Ashley shop, and see the techniques they use to include external files. Stuff like this:
var az = “SC”;
var bz = “RI”;
var cz = “PT”;
Then they concatenate them to output “SCRIPT”.
They use multiple script tags with partial Javascript in them, again breaking eBay’s detection system.
Once you start allowing exploits then it becomes a nightmare to manage – eBay could make a change to their code which breaks millions of listings. Also it becomes harder, although by no means impossible, to detect malicious code.