eBay's phishy old problem
We were wrong, but is eBay wronger?
Comment Reg Developer recently published a story about listings on eBay that point users to phishing sites. We thought we'd uncovered a new security issue on eBay, but it turns out we were wrong.
Not wrong about the security issue, there certainly is one. Our error was in assuming that it was new and/or that eBay didn't know about it.
Starting from some leads provided by you lot, we have found out that this issue has been well-documented for at least a year.
For example, it is described in a US-CERT vulnerability note dated 02/05/2006, which says: "eBay is a popular auction website. When an eBay user posts an auction, eBay allows SCRIPT tags to be included in the auction description. This creates a cross-site scripting vulnerability in the eBay website."
So the root of the problem is that users are allowed to post active code and active code can be used for malicious purposes.
What can eBay do? Well, if it chose to, it could restrict the HTML that users post to its site. This could have two effects, depending on what restrictions the company enforced: 1) it could ensure that the listing was rendered perfectly safe for other users, or 2) it could restrict the dynamic content that some perfectly legitimate users like to post.
So eBay has to strike a balance between security for its users and the functionality it offers them.
Over a year ago eBay apparently made a conscious decision not to restrict the HTML in this way. In an interview in March 2006, an eBay spokeswoman, Catherine England, is quoted as saying:
"Our sellers really use the dynamic content aspect of our listings. The benefits overwhelmingly outweigh the red skin that we have gotten.
"By the time something gets up there, we're usually so quick to get it and pull it down that it is really a moot point. We feel that it is not a huge concern or issue - it is miniscule."
As we found two weeks ago, "quick" can equate to more than two hours. There is evidence on eBay's own Trust and Safety community board, (here and here), that a malicious listing can stay up for considerably longer than two hours.
These are well worth reading (thanks to Reg Dev reader Lee Berkovits for them). A week may be a long time in politics. On the web even two hours is more than enough time for multiple listings to phish multiple identities.
Do a few identity thefts really matter? They don't seem too bad if you believe that most phishers are school kids in bedrooms trying to steal an eBay identity so they can buy a bigger Wii than their mate's. Sadly, as The Register has shown (here and here), all too often organised crime is behind modern phishing expeditions.
why they allow dynamic content
The reason ebay allows dynamic content is to stop them from being closed down. Sure they make a huge chunk on the final value fee. But they also make a huge chunk on the listing. Let's imagine you want to list an item and, in order to wring the maximum out of the listing, you include 10 hi-resolution images so potential bidders have a precise idea of what you are selling.
Why would you want to do this?
2 reasons: firstly so people can't complain that you didn't describe the item adequately, secondly to hopefully entice higher bids.
Now in order to do this you would use ebay's image hosting because of course active scripting is banned on ebay and you have to pay for their image hosting which is a monopoly and would get them closed.
Alternatively ebay could allow companies like auctiva (who make their money from auctionsniper.com) to host images for you using their listing tool. It has it's (massive) flaws but it is handy for what it does. Or you could host the images and includes yourself, if you fancy writing the code. This introduces competition, removes the monopoly and so ebay doesn't get closed down.
I don't imagine it has anything to do with benefit for users, it is for ebay's own benefit that they allow scripting like this.
Dude, where have you been? eBay hasn't been an 'auction site' for years!! I remember when it used to be an auction site. (Heck. I had a 4 digit eBay ID back in the day.) That was a looooong time ago.
Today true auctions are a very very small percentage of eBay.
Today eBay's just an extention of corporate catalog sales. That's why they have to allow the dynamic off-server content that leads to the cross-site scripting issues. Corporate pass-thru sales are the bulk of eBay's business these days.
Seriously. Pick up a dead tree catalog. Now pick a page at random. Now search in Ebay for any product listed on that page. You'll see that product on eBay. It will be for sale from that company and the 'BuyItNow' price will be the same price you see in the dead tree catalog.
That's what eBay is today. The small business guys started it, posting slow moving inventory for sale, then moving on to listing more and more new items. Today they list items they don't even have in stock but can direct ship to the buyer.
Now the national and international folks have moved in.
Auction site? Meh. eBay isn't an auction site anymore. Sorry.
lunatics taking over the asylum?
is it too staggering a concept that ebay furnishes its listers with some generic functions?
e.g. simple image grabber, rss client
i seriously struggle to see what if any dynamic content could be useful on ebay, other than maybe some expand and contract DHTML for a listings details
and even then that could be implimented using something like :
and a piss simple regexp....
anything else is just myspace style fluff and cant be business critical.
end of the day if a user wants it that badly why dont they just use ebays webservices and link to there browser imcompatible listings on there own domain?