
EBay under pressure as hacks continue - GotAnyMegadeth
http://www.bbc.co.uk/news/technology-29310042
======
ufmace
> The vulnerability centres around users' ability to place custom Javascript
> and Flash content into their listings pages.

Wait, what? Is that true? If so, how could anybody think that allowing the
user to place custom Javascript in their listing pages is a good idea in this
day and age?

~~~
pessimizer
It was common before facebook, and at this point businesses are built on it.

------
DanBlake
Why is eBay not using sandboxed iframes for the auction description/content?

You dont need JS to make amazing looking listings. Just look at all the
customized subreddits with crazy stuff going on utilizing just CSS/HTML. All
the 'tracking' needed for ebay listings could easily be done with a pixel as
well.

~~~
philo23
I was just about to comment that sandboxed iframes aren't really well
supported but it seems like I'm completely wrong, they're much better
supported than I expected [http://caniuse.com/#feat=iframe-
sandbox](http://caniuse.com/#feat=iframe-sandbox)

Still it would leave a fair chunk of users with IE 9 or older no better than
they are right now.

------
roywiggins
Does anyone else remember when Flash could execute arbitrary Javascript in the
containing page? That was super fun.

Attempting to sandbox user-supplied Javascript just seems like an exercise in
futility.

~~~
daenz
> Attempting to sandbox user-supplied Javascript just seems like an exercise
> in futility.

You just need to run the javascript in a interpreter written in javascript
/sarcasm

>> EDIT: oh god it's real
[https://github.com/mozilla/narcissus](https://github.com/mozilla/narcissus)

~~~
Igglyboo
Wait what? Wouldn't a js2js interpreter just be eval()??? How is this more
than a joke project?

~~~
roywiggins
eval() calls the interpreter that's running the current code with some
arbitrary string. The code that's interpreting it is not Javascript; you can't
poke around and change it without recompiling whatever binary it is.
Implementing Javascript in Javascript lets you quickly play with new features:
you can add features to the toy interpreter more easily than nodejs.

There's a long tradition of self-hosting compilers: C is compiled with
programs that were written in C. PyPy is a Python interpreter written in
Python (actually RPython but it's a subset of Python).

[http://en.wikipedia.org/wiki/History_of_compiler_constructio...](http://en.wikipedia.org/wiki/History_of_compiler_construction#Self-
hosting_compilers)

------
Robadob
The previous bbc article regarding this never stated that ebay allows users to
embed javascript and flash into listings. No wonder they are having issues
with xss.

~~~
makomk
As far as I can tell they're not having problems with XSS. The listing
description is actually an iframe served from a different domain with no
access to anything on the eBay website. This appears to be a straightforward
phishing attack.

~~~
yaeger
So, if I were to go to such a site with noscript activated, I would be okay? I
mean, noscipt would probably set up to allow ebay.com so the site actually
works, but this different domain will most likely be blocked, yes?

------
yuhong
Yea, it is funny that PayPal has a security bug bounty program but eBay don't.
I think you can thank David Marcus and Bill Scott of PayPal for that.

------
Kenji
"When customers clicked on a listing that had been compromised, they were
brought to a sophisticated, official-looking site that asked victims to log in
and share bank account details." Please. One glance at the URL ("vip-
ohota.com.ua") and the fact that it's not SSL reveals that something fishy is
going on. This is very, very basic, even non-tech people should look at the
URL when they enter their information. You wouldn't tell a stranger your
credit card number, you'd make sure you're talking to the right person.

~~~
nwh
It's unreasonable to expect that of people. URLs are maddeningly maddling to
parse even if you know what is going on, if you don't it's almost impossible
to explain it. Why is ebay.com.au different to ebay.com.au.edgesuite.net,
should I worry if I see that? Why is edgesuite alright for hosting the images
on? It's a rabbit warren of edge cases and exceptions that defied all normal
levels of explanations.

~~~
Kenji
If it's unreasonable to expect that of people, it's unreasonable of people to
expect security.

~~~
ZeroMinx
Disagree.

We technical people instinctively know there's a fundamental difference
between those 2 domains. Normal people don't. And why should they?

We (tech people) have to get the situation to a point where we don't expect
normal people to have to know all these silly details.

I'm not doing anything to help achieve this, I'm hoping other people are :)

~~~
Karunamon
I really, truly don't see how this is a "silly detail" any more than ensuring
the person who collects your credit card information in a retail setting, in
person, actually represents the company they claim to, by looking for a
uniform, nametag, or other immediately obvious information that identifies
someone as working for someone else.

We've been trying to drill it into people to look for the lock icon before
entering anything personal for decades and it's kinda starting to stick.

Is it really that much more to ask that you double check to see if the URL
you're putting your sensitive information on matches what it claims to be?

It's literally _right there_. A glance upwards. No clicks or any special
arcane knowledge required.

~~~
hnal943
I think if a conman could get behind the counter in a retail setting, people
would give their credit cards over as easily as they do online. No one is
looking at the cashier to make sure that they are legitimate, and that's
because they don't have to: no retail business could survive news reports of
people getting scammed in this way. Honestly the same is true online. There's
no expectation that if you started out on Nordstroms.com that your purchase
information will be stolen by an imposter. Since Nordstrom's controls the
content on that site, it's very difficult for an attack like that to occur.

