this post was submitted on 03 Feb 2024
116 points (94.6% liked)

Today I Learned

17792 readers
631 users here now

What did you learn today? Share it with us!

We learn something new every day. This is a community dedicated to informing each other and helping to spread knowledge.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)


Rule 1- All posts must begin with TIL. Linking to a source of info is optional, but highly recommended as it helps to spark discussion.

** Posts must be about an actual fact that you have learned, but it doesn't matter if you learned it today. See Rule 6 for all exceptions.**



Rule 2- Your post subject cannot be illegal or NSFW material.

Your post subject cannot be illegal or NSFW material. You will be warned first, banned second.



Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.



Rule 4- No self promotion or upvote-farming of any kind.

That's it.



Rule 5- No baiting or sealioning or promoting an agenda.

Posts and comments which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.



Rule 6- Regarding non-TIL posts.

Provided it is about the community itself, you may post non-TIL posts using the [META] tag on your post title.



Rule 7- You can't harass or disturb other members.

If you vocally harass or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.

For further explanation, clarification and feedback about this rule, you may follow this link.



Rule 8- All comments should try to stay relevant to their parent content.



Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.



Rule 10- Majority of bots aren't allowed to participate here.

Unless included in our Whitelist for Bots, your bot will not be allowed to participate in this community. To have your bot whitelisted, please contact the moderators for a short review.



Partnered Communities

You can view our partnered communities list by following this link. To partner with our community and be included, you are free to message the moderators or comment on a pinned post.

Community Moderation

For inquiry on becoming a moderator of this community, you may comment on the pinned post of the time, or simply shoot a message to the current moderators.

founded 1 year ago
MODERATORS
 

This news is from almost exactly 8 years ago. Softpedia reported 13 days later that eBay partially patched it, but the patch was insufficient. I could not find further updates, but I do know that eBay has since removed more advanced JavaScript (incl. JSFuck) from all listings in 2017.

"An attacker could target eBay users by sending them a legitimate page that contains malicious code," Check Point researcher Oded Vanunu wrote in a blog post published Tuesday. "Customers can be tricked into opening the page, and the code will then be executed by the user's browser or mobile app, leading to multiple ominous scenarios that range from phishing to binary download."

To exploit this vulnerability, all an attacker needs to do is create an online eBay store. In his store details, he posts a maliciously crafted item description. eBay prevents users from including scripts or iFrames by filtering out those HTML tags. However, by using JSF**k, the attacker is able to create a code that will load an additional JS code from his server. This allows the attacker to insert a remote controllable JavaScript that he can adjust to, for example, create multiple payloads for a different user agent.

eBay performs simple verification but only strips alpha-numeric characters from inside the script tags. The JSF**k technique allows the attackers to get around this protection by using a very limited and reduced number of characters.

eBay has no plans to fix a "severe" vulnerability that allows attackers to use the company's trusted website to distribute malicious code and phishing pages, researchers from security firm Check Point Software said.

In an e-mail sent to Ars after [their article] went live, eBay officials wrote: " "eBay is committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure. We have not found any fraudulent activity stemming from this incident.”

The e-mail added:

Also, it's important to understand that we have been in touch with the researcher and have implemented various security filters based on his findings to detect this exploit. Since we allow active content on our site it's important to understand that malicious content on our marketplace is extraordinarily uncommon, which we estimate to be less than two listings per million that use active content on the eBay marketplace.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 5 points 9 months ago (1 children)

The article's from 8 years ago. The exploit's probably patched now.

[–] [email protected] 5 points 9 months ago (1 children)

Why would you not include that in the body of your post that went into extra detail about how ebay was making statements about ignoring the exploit?

And also, do you have any sources that confirm its been patched in any way? Because an exploit being old is not proof it doesnt exist anymore.

[–] [email protected] 7 points 9 months ago* (last edited 9 months ago)

I tried to do that with the "published 8 years ago", but I see now how it wasn't clear enough. I've amended the first paragraph. (all the other paragraphs are quotes from the article, by the way) I couldn't find any further update other than one 13 years later, which you can read in a link in the first paragraph.

Edit: It's definitely gone, they've disabled "Active Content" which is non-basic JS in listings since 2017.