eBay's reluctance to secure platform leads to more XSS attacks
eBay popped up in the news for its reactive stance to customer security by allowing sellers to add code to their listings which could further exploit user interactions. They do provide sellers with rules warning that their accounts may be limited or suspended if they are caught, but with these sorts of attacks the damage has already been done by the time eBay finds the code. The alarming thing is that this isn't a new problem for eBay as they had the same thing happen in 1999 with the eBayla exploit. The exploit was presented to eBay, but no further action was taken to fix the problem.
The thing is that it's not just eBay that suffers from this problem. There are a lot of websites that try to give themselves a competitive edge by allowing users the freedom to do what they want with the platform. These freedoms lead to over-complicated parsing rules and eventually loopholes are found which can be exploited by the curious, or those with malicious intentions. Over the past decade there have been a few notable XSS worms that have attacked sites, MySpace had Samy, Twitter had MouseOver, and Orkut had Bom Sabado.
Several years ago I was part of another community where I was disclosing exploit vectors to the creator on a regular basis. I was able to find and demonstrate some rather amusing exploits, including one that instantly would logout all active users. You would be amazed at how many sites use /logout/ without user-interaction to logout a user, mix that with the ability to post an image to a feed that could contain any URL
then add a common hash tag that everyone will see, mass logout with the side-effect of Déjà vu when they login again and "see" the image. To my knowledge a lot of these exploits (or at least the ones that I didn't mention here) still exist as fixing them would have impacted the ability for users to style up their pages, and well, that was one of the community's selling points.