On Thu, Mar 3, 2016 at 5:29 AM, Jon Ribbens <jon+use...@unequivocal.co.uk> wrote: > On 2016-03-02, Chris Angelico <ros...@gmail.com> wrote: >> To be fair, this isn't a JS exploit; it's a trusting-of-trust issue - >> eBay has declared that you can trust them to sanitize their sellers' >> listings, and so you trust eBay, but this exploit gets past the >> filter. > > This is true. It sounds like their filter is frankly bizarre, > I can't imagine why it works the way that has been described.
Agreed. I also don't understand why they can't simply say "no <script> tags permitted". By the look of the error message, they've been playing whack-a-mole with exploits as they're found, rather than actually designing for security. >> You're no more vulnerable looking at one of those listings >> than you would be going to a web site entirely controlled by the >> attacker, save that (particularly on mobile devices) there are a lot >> of people out there who'll say "Oh, it'e eBay, I'm safe". > > This however I don't think is true at all. eBay already has a great > deal of data about its customers, if an attacker can hijack sessions > and steal this data just from a user visiting a listings page then > that isn't anything like visiting a random malicious site. Hmm, maybe. But the description of the exploit talks of getting people to click a button to install an app, which is something anyone could do with full control of a web site; the value (to the attacker) of exploiting the eBay filter limitation is that it slips it into an otherwise-trusted web site (both from the human's point of view - "this is eBay, it's fine" - and from a machine filter's - "yes, this is the same site you thought you were on"). ChrisA -- https://mail.python.org/mailman/listinfo/python-list
