MoonPoint Support Logo

 


Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals



Advanced Search
February
Sun Mon Tue Wed Thu Fri Sat
  3
         
2016
Months
Feb


Wed, Feb 03, 2016 11:21 pm

eBay JavaScript block does not block all JavaScript

A number of sites that report on technology/computing issues carried reports today regarding the possibility of malware being distributed via eBay custom listings. E.g., TechWeek Europe UK has the article eBay 'Won't Fix' JavaScript Flaw That Exposes Users To Malware, Phishing and Ars Technica has the article eBay has no plans to fix “severe” bug that allows malware distribution. The articles state that eBay normally blocks sellers from using JavaScript code in listings, but that malefactors can circument eBay's block by building their JavaScript code with non- alphanumeric characters, specifically the six characters . (,),[,],! and +. According to the TechEurope UK article:

Security software firm CheckPoint says eBay usually filters out scripts and iFrames from item descriptions or online stores, but only strips alphanumeric characters from these HTML tags.

CheckPoint claims that by using those non-alphanumeric characters, malefactors could pull code from a remote server that would allow them to trick an unsuspecting eBay user visiting a eBay store listing where the nefarious JavaScript is posted into agreeing to install software that the user may incorrectly assume is being provided by eBay.

CheckPoint stated it informed eBay of the potential issue on December 15, but on January 16 was informed that eBay would not be providing a fix for the issue because active content is allowed on eBay's website.

eBay's HTML and JavaScript Policy page has the following guidelines on what sellers aren't allowed to do on their listing pages:

You can't use HTML or JavaScript that:

I.e., the above guidelines do not seem to preclude the use of any JavaScript on a listing page. And there are sites that provide scripts to be used in eBay listings, e.g., Script Snips at Auction Repair .

[/security/malware] permanent link

Once You Know, You Newegg AliExpress by Alibaba.com

Shop Amazon Local - Subscribe to Deals in Your Neighborhood

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo