back to article Disputed eBay platform vuln poses ‘severe risk’ to tat bazaar's users

A vulnerability in eBay’s online sales platform creates a mechanism for crooks to sling malware or run phishing campaigns. The vulnerability allowed hackers to bypass eBay’s code validation mechanisms, thereby allowing them to push malicious Javascript code towards targeted eBay users. If the flaw is left unpatched, eBay’s …

  1. Anonymous Coward
    Anonymous Coward

    Reminds me of the acebook CSRF login vulnerability...

    It's not a vulnerability... it' s a feature!

  2. Captain Badmouth
    FAIL

    Company statement :

    "We take reported security issues very seriously, and work quickly to evaluate them "

    Cut and pasted from every other company statement about a security breach/flaw we've seen over the years.

    Nothing to see here yet, get your popcorn and hang about...

    1. MyffyW Silver badge

      Re: Company statement :

      Too true @Captain_Badmouth. Just need a chief exec named after a figure from classical antiquity and we're well into deja vu territory.

      1. Trigonoceps occipitalis

        Re: Company statement :

        Who, Epimetheus Harding?

        (EPIMETHEUS was the Titan god of afterthought, the father of excuses.)

  3. tiggity Silver badge

    eBay caveat emptor

    As eBay has been scam central for such a long time, does anyone still actually trust anything much on there, ever?

  4. Elmer Phud Silver badge

    Ah, that one . . .

    "Customers could then be tricked into opening the page using a pop-up message on the attacker’s eBay store enticing the user into downloading a new eBay mobile application, by offering a one-time discount."

    The old tricks are the best

  5. clocKwize

    This isn't a new thing, this has always been the case. Its been reported many times and I'm sure its been highlighted in many news articles (maybe on El Reg)... Why do I think its not going to get fixed this time either?

  6. Tim Brown 1
    Holmes

    Wrong culprit?

    Without wishing to defend Ebay, surely if javascript is allowed to do anything it shouldn't, the real problem is in the browser?

    1. Paul Crawford Silver badge

      Re: Wrong culprit?

      The javascript might not do anything much itself, but it allows all sorts of nasties such as flash or PDF documents to be directed at the user, and at the very least it would allow a 3rd pay to pass off as eBay pretty effectively given they are on that site, so stealing username/password and so on with a little social engineering is trivial.

    2. Nattrash
      FAIL

      Re: Wrong culprit?

      Sorry but I don't agree. I mean, if you fire Ebay up, they immediately start nagging you that you should activate JavaScript. And thus open a vector to their "valued customers". As the critical factor in computing is always between the chair and keyboard, it isn't the tech that is the prob here, but the way it is used. Also, don't forget that most users on there are noobs, always in awe of the workings of IoT. So are they surprised when a handy popup opens so they can fill in their bank or PayPal details? If Ebay really is committed to deliver a safe platform to their "valued users" then they'd be all over this and solve their issues ASAP. But as the article (and history) shows their business policy seems to be to keep driving down this road, skimming their few cents on the huge amount of transactions until it breaks down indefinitely. Then again, who here didn't get some cool (retro?) electronics of Ebay..?

  7. Anonymous Coward
    Anonymous Coward

    JSf**k

    Sounds like a variant of Brainf**k. Never thought I'd see a practical* application for that programming language!

    *practical for crooks

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019