This news is from almost exactly 8 years ago. Softpedia reported 13 days later that eBay partially patched it, but the patch was insufficient. I could not find further updates, but I do know that eBay has since removed more advanced JavaScript (incl. JSFuck) from all listings in 2017.
“An attacker could target eBay users by sending them a legitimate page that contains malicious code,” Check Point researcher Oded Vanunu wrote in a blog post published Tuesday. “Customers can be tricked into opening the page, and the code will then be executed by the user’s browser or mobile app, leading to multiple ominous scenarios that range from phishing to binary download.”
To exploit this vulnerability, all an attacker needs to do is create an online eBay store. In his store details, he posts a maliciously crafted item description. eBay prevents users from including scripts or iFrames by filtering out those HTML tags. However, by using JSF**k, the attacker is able to create a code that will load an additional JS code from his server. This allows the attacker to insert a remote controllable JavaScript that he can adjust to, for example, create multiple payloads for a different user agent.
eBay performs simple verification but only strips alpha-numeric characters from inside the script tags. The JSF**k technique allows the attackers to get around this protection by using a very limited and reduced number of characters.
eBay has no plans to fix a “severe” vulnerability that allows attackers to use the company’s trusted website to distribute malicious code and phishing pages, researchers from security firm Check Point Software said.
In an e-mail sent to Ars after [their article] went live, eBay officials wrote: " "eBay is committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure. We have not found any fraudulent activity stemming from this incident.”
The e-mail added:
Also, it’s important to understand that we have been in touch with the researcher and have implemented various security filters based on his findings to detect this exploit. Since we allow active content on our site it’s important to understand that malicious content on our marketplace is extraordinarily uncommon, which we estimate to be less than two listings per million that use active content on the eBay marketplace.
Their response reminds me of a certain fight club quote…
If X is less than the cost of a recall, then we don’t recall.
We don’t do one*
We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure.
Typical corporate PR just lying outright.The issue was known for 8 years
The Ars article is also from 8 years ago, one day after the thing was published. The attack vector was removed in 2017.
See also the JS library: FuckIt!
Cool, no more ebay for me. Not really a loss, the site sucks, but now its not worth the risk to even browse
The article’s from 8 years ago. The exploit’s probably patched now.
Why would you not include that in the body of your post that went into extra detail about how ebay was making statements about ignoring the exploit?
And also, do you have any sources that confirm its been patched in any way? Because an exploit being old is not proof it doesnt exist anymore.
I tried to do that with the “published 8 years ago”, but I see now how it wasn’t clear enough. I’ve amended the first paragraph. (all the other paragraphs are quotes from the article, by the way) I couldn’t find any further update other than one 13 years later, which you can read in a link in the first paragraph.
Edit: It’s definitely gone, they’ve disabled “Active Content” which is non-basic JS in listings since 2017.
