eBay's reluctance to secure platform leads to more XSS attacks


eBay popped up in the news for its reactive stance to customer security by allowing sellers to add code to their listings which could further exploit user interactions. They do provide sellers with rules warning that their accounts may be limited or suspended if they are caught, but with these sorts of attacks the damage has already been done by the time eBay finds the code. The alarming thing is that this isn't a new problem for eBay as they had the same thing happen in 1999 with the eBayla exploit. The exploit was presented to eBay, but no further action was taken to fix the problem.

The fact that eBay doesn't care when security affects functionality says a lot about the amount of power users have over service providers. It is this same power that creates the security risk that will eventually blow back onto the service provider for their lack of security foresight. They are dammed if they do, dammed if they don't. From a financial standpoint, if they were to instantly change their policy and remove the ability to use JavaScript in listings, a very high percentage of currently listed items would just cease to work properly. Sellers would be furious at the potential loss in sales, and customers would be left scratching their heads wondering why the listed items looked strange. This is probably why eBay is unwilling to change their stance on the inclusion of JavaScript.

The thing is that it's not just eBay that suffers from this problem. There are a lot of websites that try to give themselves a competitive edge by allowing users the freedom to do what they want with the platform. These freedoms lead to over-complicated parsing rules and eventually loopholes are found which can be exploited by the curious, or those with malicious intentions. Over the past decade there have been a few notable XSS worms that have attacked sites, MySpace had Samy, Twitter had MouseOver, and Orkut had Bom Sabado.

Several years ago I was part of another community where I was disclosing exploit vectors to the creator on a regular basis. I was able to find and demonstrate some rather amusing exploits, including one that instantly would logout all active users. You would be amazed at how many sites use /logout/ without user-interaction to logout a user, mix that with the ability to post an image to a feed that could contain any URL


then add a common hash tag that everyone will see, mass logout with the side-effect of Déjà vu when they login again and "see" the image. To my knowledge a lot of these exploits (or at least the ones that I didn't mention here) still exist as fixing them would have impacted the ability for users to style up their pages, and well, that was one of the community's selling points.