On 2016-03-02, Chris Angelico <ros...@gmail.com> wrote: > On Thu, Mar 3, 2016 at 5:29 AM, Jon Ribbens ><jon+use...@unequivocal.co.uk> wrote: >> On 2016-03-02, Chris Angelico <ros...@gmail.com> wrote: >>> You're no more vulnerable looking at one of those listings >>> than you would be going to a web site entirely controlled by the >>> attacker, save that (particularly on mobile devices) there are a lot >>> of people out there who'll say "Oh, it'e eBay, I'm safe". >> >> This however I don't think is true at all. eBay already has a great >> deal of data about its customers, if an attacker can hijack sessions >> and steal this data just from a user visiting a listings page then >> that isn't anything like visiting a random malicious site. > > Hmm, maybe. But the description of the exploit talks of getting people > to click a button to install an app, which is something anyone could > do with full control of a web site;
I think that's just a proof-of-concept sort of thing. There's much more interesting things you can do than put up "download this exe and run it" pop-ups if you can run arbitrary javascript in someone else's domain. > the value (to the attacker) of exploiting the eBay filter limitation > is that it slips it into an otherwise-trusted web site (both from > the human's point of view -"this is eBay, it's fine" - and from a > machine filter's - "yes, this is the same site you thought you were > on"). You can of course just register egay.com (or whatever) and hope for the best (including putting an SSL cert on it). -- https://mail.python.org/mailman/listinfo/python-list
