Feeds

eBay's phishy old problem

We were wrong, but is eBay wronger?

Secure remote control for conventional and virtual desktops

Comment Reg Developer recently published a story about listings on eBay that point users to phishing sites. We thought we'd uncovered a new security issue on eBay, but it turns out we were wrong.

Not wrong about the security issue, there certainly is one. Our error was in assuming that it was new and/or that eBay didn't know about it.

Starting from some leads provided by you lot, we have found out that this issue has been well-documented for at least a year.

For example, it is described in a US-CERT vulnerability note dated 02/05/2006, which says: "eBay is a popular auction website. When an eBay user posts an auction, eBay allows SCRIPT tags to be included in the auction description. This creates a cross-site scripting vulnerability in the eBay website."

So the root of the problem is that users are allowed to post active code and active code can be used for malicious purposes.

What can eBay do? Well, if it chose to, it could restrict the HTML that users post to its site. This could have two effects, depending on what restrictions the company enforced: 1) it could ensure that the listing was rendered perfectly safe for other users, or 2) it could restrict the dynamic content that some perfectly legitimate users like to post.

So eBay has to strike a balance between security for its users and the functionality it offers them.

Over a year ago eBay apparently made a conscious decision not to restrict the HTML in this way. In an interview in March 2006, an eBay spokeswoman, Catherine England, is quoted as saying:

"Our sellers really use the dynamic content aspect of our listings. The benefits overwhelmingly outweigh the red skin that we have gotten.

"By the time something gets up there, we're usually so quick to get it and pull it down that it is really a moot point. We feel that it is not a huge concern or issue - it is miniscule."

As we found two weeks ago, "quick" can equate to more than two hours. There is evidence on eBay's own Trust and Safety community board, (here and here), that a malicious listing can stay up for considerably longer than two hours.

These are well worth reading (thanks to Reg Dev reader Lee Berkovits for them). A week may be a long time in politics. On the web even two hours is more than enough time for multiple listings to phish multiple identities.

Do a few identity thefts really matter? They don't seem too bad if you believe that most phishers are school kids in bedrooms trying to steal an eBay identity so they can buy a bigger Wii than their mate's. Sadly, as The Register has shown (here and here), all too often organised crime is behind modern phishing expeditions.

Beginner's guide to SSL certificates

Next page: eBay's reply

More from The Register

next story
Microsoft to bake Skype into IE, without plugins
Redmond thinks the Object Real-Time Communications API for WebRTC is ready to roll
Mozilla: Spidermonkey ATE Apple's JavaScriptCore, THRASHED Google V8
Moz man claims the win on rivals' own benchmarks
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
FTDI yanks chip-bricking driver from Windows Update, vows to fight on
Next driver to battle fake chips with 'non-invasive' methods
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Ubuntu 14.10 tries pulling a Steve Ballmer on cloudy offerings
Oi, Windows, centOS and openSUSE – behave, we're all friends here
Apple's OS X Yosemite slurps UNSAVED docs into iCloud
Docs, email contacts... shhhlooop, up it goes
Was ist das? Eine neue Suse Linux Enterprise? Ausgezeichnet!
Version 12 first major-number Suse release since 2009
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.