Feeds

eBay's phishy old problem

We were wrong, but is eBay wronger?

Business security measures using SSL

Comment Reg Developer recently published a story about listings on eBay that point users to phishing sites. We thought we'd uncovered a new security issue on eBay, but it turns out we were wrong.

Not wrong about the security issue, there certainly is one. Our error was in assuming that it was new and/or that eBay didn't know about it.

Starting from some leads provided by you lot, we have found out that this issue has been well-documented for at least a year.

For example, it is described in a US-CERT vulnerability note dated 02/05/2006, which says: "eBay is a popular auction website. When an eBay user posts an auction, eBay allows SCRIPT tags to be included in the auction description. This creates a cross-site scripting vulnerability in the eBay website."

So the root of the problem is that users are allowed to post active code and active code can be used for malicious purposes.

What can eBay do? Well, if it chose to, it could restrict the HTML that users post to its site. This could have two effects, depending on what restrictions the company enforced: 1) it could ensure that the listing was rendered perfectly safe for other users, or 2) it could restrict the dynamic content that some perfectly legitimate users like to post.

So eBay has to strike a balance between security for its users and the functionality it offers them.

Over a year ago eBay apparently made a conscious decision not to restrict the HTML in this way. In an interview in March 2006, an eBay spokeswoman, Catherine England, is quoted as saying:

"Our sellers really use the dynamic content aspect of our listings. The benefits overwhelmingly outweigh the red skin that we have gotten.

"By the time something gets up there, we're usually so quick to get it and pull it down that it is really a moot point. We feel that it is not a huge concern or issue - it is miniscule."

As we found two weeks ago, "quick" can equate to more than two hours. There is evidence on eBay's own Trust and Safety community board, (here and here), that a malicious listing can stay up for considerably longer than two hours.

These are well worth reading (thanks to Reg Dev reader Lee Berkovits for them). A week may be a long time in politics. On the web even two hours is more than enough time for multiple listings to phish multiple identities.

Do a few identity thefts really matter? They don't seem too bad if you believe that most phishers are school kids in bedrooms trying to steal an eBay identity so they can buy a bigger Wii than their mate's. Sadly, as The Register has shown (here and here), all too often organised crime is behind modern phishing expeditions.

New hybrid storage solutions

Next page: eBay's reply

More from The Register

next story
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Mathematica hits the Web
Wolfram embraces the cloud, promies private cloud cut of its number-cruncher
NHS grows a NoSQL backbone and rips out its Oracle Spine
Open source? In the government? Ha ha! What, wait ...?
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
iOS 8 Healthkit gets a bug SO Apple KILLS it. That's real healthcare!
Not fit for purpose on day of launch, says Cupertino
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.