This afternoon eBay have made an announcement about how they tackle the so-called “cross site scripting” that we wrote about on Tamebay a few weeks ago. They explain the level of the risk and what they are doing to tackle it.
Perhaps most notably eBay note that they will not be changing site rules to prevent the use of Flash or Javascript on the site because the value of that is greater than the risk of a few dodgy listings.
We reproduce the announcement here verbatim. You can view it on eBay here.
***How eBay is combatting cross-site scripting***
Lynda Talgo – Vice President of Global Managed Marketplace
When we became aware of reports about eBay customers being vulnerable due to cross-site scripting, we took these claims extremely seriously – nothing is more important than the trust of our customers. We quickly conducted an internal investigation to ensure the processes and policies we have in place are properly addressing this issue.
What is cross-site scripting?
eBay allows the use of active content on our marketplace, including Java Script, Flash, links, videos and pictures to enrich the buyer and seller experience. Examples include the ability for sellers to cross-merchandise items, personalize and brand eBay stores, incorporate videos into listings, provide links to eBay stores and scroll/zoom pictures in the item description.
While both sellers and buyers benefit from active content, we are aware that active content may be used in abusive ways. In particular, the practice of cross-site scripting – carried out by criminals – is an issue that affects sites that allow active content across the Internet.
How common is cross-site scripting on eBay?
It’s important to understand that malicious content on our marketplace is extraordinarily uncommon, which we estimate to be less than two listings per million that use active content on the eBay marketplace.
How we combat the use of malicious code
· We have a multi-level security system designed to detect the use of malicious code on our marketplace
· We employ technologies that prevent sellers from using certain kinds of active content in their items descriptions.
· We also apply technologies that support us in identifying malicious content in listings and take the appropriate actions to remove.
We remove the vast majority of listings containing malicious content within one hour of detection.
After a recent review of our processes and policies, we believe the benefits of allowing active content to our customers outweigh the extremely low likelihood of being exposed to them.
Committed to your safety
We’re fully committed to our millions of customers, and you can count on us to remain steadfast in our efforts to provide a safe and secure marketplace for buyers and sellers around the world.
Any customer who spots a listing of concern can use the ‘report item’ function at the bottom right of the listing page.
2 Responses
Really disappointed with their response. It doesn’t matter if its estimated (how do they estimate?) 2 listings every 1 million. That still means that there are two listings that will be live for possibly an hour which multiple people could click into and become a victim. I wonder the percentage wise, not just 2 every 1 million which is purposely said to try and make it look so tiny. I’m sure there’s millions of listings active each day.
Its 2 in every million now but it can be exploited similar to what we saw with Youtube in the past where they were took over and the site was basically taken offline because there was too many videos being redirected.
I personally wont purchase from eBay from now on, I’ll stick to Amazon. I only use eBay for niche things but now its just not worth the hassle.
This would hurt new businesses starting on eBay considerably.I can’t imagine many people feeling confident clicking into listings from sellers with under 50 feedback.
Tim I think you are over reacting, in the last 2-3 years almost every large tech company has been hacked or defences breached in someway or another.
Tim also as you are not keen on taking risks here some other numbers you may not like and may have to take in to count and re think you whole life.
the odds of dying in a plane crash are 1 in 11 million [sources: Clarke, Ropeik]. The odds of dying in a car accident are around 1 in 5,000.
I am guessing you will now be walking everywhere.