Reg Developer recently published a story about listings on eBay that point users to phishing sites. We thought we'd uncovered a new security issue on eBay, but it turns out we were wrong. Not wrong about the security issue, there certainly is one. Our error was in assuming that it was new and/or that eBay didn't know about it …
eBay invites a self-generated DDoS
Obviously I won't post the code, but the script would install a browser helper object that silently and invisibly opened a browser window (MSIE for example) on eBay's own search engine, and then generated a search for a random string every few seconds.
Removing the auction would not stop the BHOs that had already been installed on unsuspecting eBayers' computers, and therefor would not stop the DDoS. And since eBay refuses to restrict active content, the malicious coder(s) could open lots more such "auctions" and infect many thousands more computers. Only by blocking the source IPs of the infected computers - and thus blocking their own customers from accessing eBay - could the DDoS be mitigated somewhat.
Frankly, I'm surprised it hasn't already been done.
I'm not all that surprised really
eBay care about the bottom line only. Everything I have heard about them in the media tells me they could care less for the security of their customers. They give the appearance of trust but when people come to rely on it they discover all the small print that makes their protection meaningless. I believe eBay is especially unethical. They are happy to make money on all sorts of illegal auctions. eBayer beware !!
If eBay was found to have been the place that one of these phishing scams resulted in identity theft, then, having acknowledged that they know about the issue, aren't they then liable for the results?
lunatics taking over the asylum?
is it too staggering a concept that ebay furnishes its listers with some generic functions?
e.g. simple image grabber, rss client
i seriously struggle to see what if any dynamic content could be useful on ebay, other than maybe some expand and contract DHTML for a listings details
and even then that could be implimented using something like :
and a piss simple regexp....
anything else is just myspace style fluff and cant be business critical.
end of the day if a user wants it that badly why dont they just use ebays webservices and link to there browser imcompatible listings on there own domain?
why they allow dynamic content
The reason ebay allows dynamic content is to stop them from being closed down. Sure they make a huge chunk on the final value fee. But they also make a huge chunk on the listing. Let's imagine you want to list an item and, in order to wring the maximum out of the listing, you include 10 hi-resolution images so potential bidders have a precise idea of what you are selling.
Why would you want to do this?
2 reasons: firstly so people can't complain that you didn't describe the item adequately, secondly to hopefully entice higher bids.
Now in order to do this you would use ebay's image hosting because of course active scripting is banned on ebay and you have to pay for their image hosting which is a monopoly and would get them closed.
Alternatively ebay could allow companies like auctiva (who make their money from auctionsniper.com) to host images for you using their listing tool. It has it's (massive) flaws but it is handy for what it does. Or you could host the images and includes yourself, if you fancy writing the code. This introduces competition, removes the monopoly and so ebay doesn't get closed down.
I don't imagine it has anything to do with benefit for users, it is for ebay's own benefit that they allow scripting like this.
Dude, where have you been? eBay hasn't been an 'auction site' for years!! I remember when it used to be an auction site. (Heck. I had a 4 digit eBay ID back in the day.) That was a looooong time ago.
Today true auctions are a very very small percentage of eBay.
Today eBay's just an extention of corporate catalog sales. That's why they have to allow the dynamic off-server content that leads to the cross-site scripting issues. Corporate pass-thru sales are the bulk of eBay's business these days.
Seriously. Pick up a dead tree catalog. Now pick a page at random. Now search in Ebay for any product listed on that page. You'll see that product on eBay. It will be for sale from that company and the 'BuyItNow' price will be the same price you see in the dead tree catalog.
That's what eBay is today. The small business guys started it, posting slow moving inventory for sale, then moving on to listing more and more new items. Today they list items they don't even have in stock but can direct ship to the buyer.
Now the national and international folks have moved in.
Auction site? Meh. eBay isn't an auction site anymore. Sorry.