Following on from the BBC press about eBay XSS vulnerabilities and several hundred listings being identified as phishing directly from the eBay site, we thought we should poll the experts for some opinions.
How a ban on active code would impact your custom listing design
Is HTML5 the answer?
The designers tell us that HTML5 is not yet 100% compatible on eBay and even if it was, it would not allow for some of the functionality that you see available in descriptions or shops today. Plus of course HTML5 relies on the user having a bang up to date browser or it simply won’t be supported.
You might think it’s a great way to force users to update their browser, but go to https://html5test.com/ and you’ll find your (hopefully) up to date browser doesn’t fully support HTML5 yet. As for older devices in which we must include internet enabled TVs, Game Consoles and a plethora of smartphones and tablets which can’t be upgraded to the latest versions and you can see it’s a bit of a problem.
Perhaps a solution may be a ban on all active code except that specifically tested and approved by eBay. If they could work with the listing design companies their code could be approved, but of course there are hundreds of smaller companies who’s code could be banned, not to mention the sellers who code their own listings.
Well the BBC of course are in favour of a ban and it would be fair to assume it’s tempting for eBay themselves as banning the code would put an end to the XSS vulnerabilities and the bad press.
But what they must do is:
1) restore and maintain a stable trading platform
2) repair the damaged perception in the eyes of all users as to the security of their personal data.
There would appear to be an ongoing credibility gap.
The call to ban these things is shrill and the kind of thing you’d expect from the Daily Mail.
The numbers of compromised listings — the Defect Rate, if you will — is tiny. We’re talking a few hundred listings out of millions.
It’s about the same rate as the amount of fraud on Paypal. Are we suggesting Paypal should be banned from eBay listings? It’s about the same rate as fake tenners. Are we suggesting they should be taken out of circulation?
Just because there are a few bad buildings you don’t tear down and entire city. eBay can police the listings with relative ease, and perhaps — just perhaps — users can grow-up a little and take their own personal responsibility for not entering their passwords into phishing sites.
Doesn’t matter about the defect rate, end of the day it’s not a complicated attack and eBay are currently allowing the phishing of username and passwords direct on their own website and it has been going on since February at the earliest.
The BBC and the lefties in society annoy me – they have nothing better to write about. There is nothing wrong with ebay, its more about people who are so brain dead they give their passwords away or click on fishing links – they deserve to get their accounts hacked
The problem is that eBay allows obfuscated code, which people like Frooition use to include external files even though it’s not allowed. eBay’s system is either too basic to detect these exploits or we have to assume they condone it because they have allowed companies to do it for years.
Look at the source of a Frootion template, like the Laura Ashley shop, and see the techniques they use to include external files. Stuff like this:
var az = “SC”;
var bz = “RI”;
var cz = “PT”;
Then they concatenate them to output “SCRIPT”.
Once you start allowing exploits then it becomes a nightmare to manage – eBay could make a change to their code which breaks millions of listings. Also it becomes harder, although by no means impossible, to detect malicious code.
Comments are closed.