Feeds

eBay's phishy old problem

We were wrong, but is eBay wronger?

Boost IT visibility and business value

Comment Reg Developer recently published a story about listings on eBay that point users to phishing sites. We thought we'd uncovered a new security issue on eBay, but it turns out we were wrong.

Not wrong about the security issue, there certainly is one. Our error was in assuming that it was new and/or that eBay didn't know about it.

Starting from some leads provided by you lot, we have found out that this issue has been well-documented for at least a year.

For example, it is described in a US-CERT vulnerability note dated 02/05/2006, which says: "eBay is a popular auction website. When an eBay user posts an auction, eBay allows SCRIPT tags to be included in the auction description. This creates a cross-site scripting vulnerability in the eBay website."

So the root of the problem is that users are allowed to post active code and active code can be used for malicious purposes.

What can eBay do? Well, if it chose to, it could restrict the HTML that users post to its site. This could have two effects, depending on what restrictions the company enforced: 1) it could ensure that the listing was rendered perfectly safe for other users, or 2) it could restrict the dynamic content that some perfectly legitimate users like to post.

So eBay has to strike a balance between security for its users and the functionality it offers them.

Over a year ago eBay apparently made a conscious decision not to restrict the HTML in this way. In an interview in March 2006, an eBay spokeswoman, Catherine England, is quoted as saying:

"Our sellers really use the dynamic content aspect of our listings. The benefits overwhelmingly outweigh the red skin that we have gotten.

"By the time something gets up there, we're usually so quick to get it and pull it down that it is really a moot point. We feel that it is not a huge concern or issue - it is miniscule."

As we found two weeks ago, "quick" can equate to more than two hours. There is evidence on eBay's own Trust and Safety community board, (here and here), that a malicious listing can stay up for considerably longer than two hours.

These are well worth reading (thanks to Reg Dev reader Lee Berkovits for them). A week may be a long time in politics. On the web even two hours is more than enough time for multiple listings to phish multiple identities.

Do a few identity thefts really matter? They don't seem too bad if you believe that most phishers are school kids in bedrooms trying to steal an eBay identity so they can buy a bigger Wii than their mate's. Sadly, as The Register has shown (here and here), all too often organised crime is behind modern phishing expeditions.

Boost IT visibility and business value

Next page: eBay's reply

More from The Register

next story
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
KDE releases ice-cream coloured Plasma 5 just in time for summer
Melty but refreshing - popular rival to Mint's Cinnamon's still a work in progress
Leaked Windows Phone 8.1 Update specs tease details of Nokia's next mobes
New screen sizes, dual SIMs, voice over LTE, and more
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Mozilla keeps its Beard, hopes anti-gay marriage troubles are now over
Plenty on new CEO's todo list – starting with Firefox's slipping grasp
Apple: We'll unleash OS X Yosemite beta on the MASSES on 24 July
Starting today, regular fanbois will be guinea pigs, it tells Reg
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.