Feeds

eBay's phishy old problem

We were wrong, but is eBay wronger?

Securing Web Applications Made Simple and Scalable

Comment Reg Developer recently published a story about listings on eBay that point users to phishing sites. We thought we'd uncovered a new security issue on eBay, but it turns out we were wrong.

Not wrong about the security issue, there certainly is one. Our error was in assuming that it was new and/or that eBay didn't know about it.

Starting from some leads provided by you lot, we have found out that this issue has been well-documented for at least a year.

For example, it is described in a US-CERT vulnerability note dated 02/05/2006, which says: "eBay is a popular auction website. When an eBay user posts an auction, eBay allows SCRIPT tags to be included in the auction description. This creates a cross-site scripting vulnerability in the eBay website."

So the root of the problem is that users are allowed to post active code and active code can be used for malicious purposes.

What can eBay do? Well, if it chose to, it could restrict the HTML that users post to its site. This could have two effects, depending on what restrictions the company enforced: 1) it could ensure that the listing was rendered perfectly safe for other users, or 2) it could restrict the dynamic content that some perfectly legitimate users like to post.

So eBay has to strike a balance between security for its users and the functionality it offers them.

Over a year ago eBay apparently made a conscious decision not to restrict the HTML in this way. In an interview in March 2006, an eBay spokeswoman, Catherine England, is quoted as saying:

"Our sellers really use the dynamic content aspect of our listings. The benefits overwhelmingly outweigh the red skin that we have gotten.

"By the time something gets up there, we're usually so quick to get it and pull it down that it is really a moot point. We feel that it is not a huge concern or issue - it is miniscule."

As we found two weeks ago, "quick" can equate to more than two hours. There is evidence on eBay's own Trust and Safety community board, (here and here), that a malicious listing can stay up for considerably longer than two hours.

These are well worth reading (thanks to Reg Dev reader Lee Berkovits for them). A week may be a long time in politics. On the web even two hours is more than enough time for multiple listings to phish multiple identities.

Do a few identity thefts really matter? They don't seem too bad if you believe that most phishers are school kids in bedrooms trying to steal an eBay identity so they can buy a bigger Wii than their mate's. Sadly, as The Register has shown (here and here), all too often organised crime is behind modern phishing expeditions.

Bridging the IT gap between rising business demands and ageing tools

Next page: eBay's reply

More from The Register

next story
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
DARPA-derived secure microkernel goes open source tomorrow
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
Apple: We'll unleash OS X Yosemite beta on the MASSES on 24 July
Starting today, regular fanbois will be guinea pigs, it tells Reg
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.