Since making these videos is as easy as making a screencapture or even just surfing, there are many many which never made it to youtube. Here is one more such example. There are a few more worthy of being posted also, while we await the next major hack attack (snicker)

  This shows the floating javascript box exploit which was used to harvest email addresses and also as an alternative to where the hackers simply placed and email address in the listings.

  You will notice I have to enable javascript for ebay and ebaystatic. This again just shows that ebay allows dangerous forms of active scripting in the user generated content  ( UGC ) of the site. They still allow that today, btw.

Noted security experts  commented:

"If eBay allows [these] tags within item descriptions, it would appear to me that they understand very little about the basic theory behind writing secure web-based applications.

"One of the golden rules is that you must strip out all html tags from user input, apart from a small subset containing any tags that you specifically want to allow (such as bold or italic text). Allowing users to publish their Javascript programs at will on eBay is asking for trouble, and linking to phishing sites is just the start of it.

"Claiming that it's not a problem because links to phishing sites are quickly removed is, frankly, beyond belief for a high-profile site such as eBay. They should know better."

That active coding is still allowed and is still claiming victims no doubt, as flash redirects are still being reported, likely the bayrob.trojan (which also relies on active content) is also still claiming victims. A quick look at the United States Computer Emergency Readiness Team at US-CERT.gov website shows that the long standing xss flaw is still present.

ebay had a reply to the active scripting situation in the same article BTW:

"Due to overwhelming demand from the eBay Community, we allow users to use active code in their listing. This enables them to use a number of tools which enhance the content of their listings. A small number of unscrupulous individuals have abused this opportunity to enter malicious code into their listings. In the rare instances where this occurs, it is typically detected by eBay and we've worked swiftly to remove them."

FACT: Ebay is a dangerous site, for more than one reason, as you can plainly see.

Avoid IT like the plague!

  In this video we see victim/seller chefdjc  (17) being hijacked and the annoying js box following scrolling action up & down the page. Don't believe for a second that ebay is any safer now. NO, to the contrary, tin addition to everything mentioned above, they have only succeeded in making the site even more dangerous by censoring the "community" all the much more since then.

Total time here is 2:57.  Best when listened to at 140dB spl

http://budmalcolm.bravejournal.com/entry/25259

There are no comments to this entry.