January 1, 2014

ebay Caught in Critical Safety Flaw Falsehood. Again.

Posted by G under ebay, Online Safety, paypal, Trust | Tags: , , , , , |
1 Comment 

The dreaded XSRF cross site request forgery exploit is still uncorrected on ebaY. That means extreme risk to both ebay and Paypal users.

 

Preface:

 

Let’s begin way back in 1999. This phylum of flaws (cross-site/scripting) has existed on ebay since before there were terms coined for it. I produced a quick & dirty video outlining not only that, but how ebay sought to make a public relations play by announcing the removal of sellers’ ability to use active scripting elements in the user generated content of ebay listings, then quietly reversed the decision, and buried that news on a backwater blog. You can cut to the quick  by clicking the more info area of the video and following the links.

 

Moving forward.

 

We blogged this vulnerability back in September. Yet if you follow the links there, you see the flaw actually existed for 3 years.

 

 

Now to the present day…

(more…)

 

June 7, 2007

eBay’s phishy old problem – porn & XSS redirect auctions on ebay revisited

Posted by G under ebay | Tags: , , , , , |
[2] Comments 

Very interesting read. Points to ebay lack of due diligence to protect users & visitors to the site, and Phishing/organized crime links. Follow links, read comments, leads to live xss listing on video, and the possibility that a DDoS attack could be launched “on* *eBay’s* *own* *servers”, using malicious coding which ebay allows in all listings

read more

 

Design a site like this with WordPress.com
Get started