On 2016-03-02, Chris Angelico <ros...@gmail.com> wrote: > To be fair, this isn't a JS exploit; it's a trusting-of-trust issue - > eBay has declared that you can trust them to sanitize their sellers' > listings, and so you trust eBay, but this exploit gets past the > filter.
This is true. It sounds like their filter is frankly bizarre, I can't imagine why it works the way that has been described. > You're no more vulnerable looking at one of those listings > than you would be going to a web site entirely controlled by the > attacker, save that (particularly on mobile devices) there are a lot > of people out there who'll say "Oh, it'e eBay, I'm safe". This however I don't think is true at all. eBay already has a great deal of data about its customers, if an attacker can hijack sessions and steal this data just from a user visiting a listings page then that isn't anything like visiting a random malicious site. -- https://mail.python.org/mailman/listinfo/python-list
