A number of sites that report on technology/computing issues carried reports today regarding the possibility of malware being distributed via eBay custom listings. E.g., TechWeek Europe UK has the article eBay 'Won't Fix' JavaScript Flaw That Exposes Users To Malware, Phishing and Ars Technica has the article eBay has no plans to fix “severe” bug that allows malware distribution. The articles state that eBay normally blocks sellers from using JavaScript code in listings, but that malefactors can circument eBay's block by building their JavaScript code with non- alphanumeric characters, specifically the six characters . (,),[,],! and +. According to the TechEurope UK article:
Security software firm CheckPoint says eBay usually filters out scripts and iFrames from item descriptions or online stores, but only strips alphanumeric characters from these HTML tags.
CheckPoint claims that by using those non-alphanumeric characters, malefactors could pull code from a remote server that would allow them to trick an unsuspecting eBay user visiting a eBay store listing where the nefarious JavaScript is posted into agreeing to install software that the user may incorrectly assume is being provided by eBay.
CheckPoint stated it informed eBay of the potential issue on December 15, but on January 16 was informed that eBay would not be providing a fix for the issue because active content is allowed on eBay's website.
eBay's HTML and JavaScript Policy page has the following guidelines on what sellers aren't allowed to do on their listing pages:You can't use HTML or JavaScript that:
- Calls remote scripts and pages automatically, such as JavaScript "includes" or "iframes."
- Changes registry entries or otherwise writes to another person's computer hard drive.
- Creates automatic pop-ups except for links that open in a new window when clicked on.
- Is used to drop or read a cookie on any eBay page.
- Loads any binary program on another person's computer automatically, except for Flash content.
- Launches a song or video when a listing is opened.
- Overwrites any area in the listing outside of the item description area.
- Manipulates areas outside the listing description, including changing fonts, colors, and backgrounds in areas such as eBay headers and footers.
- Posts to scripts on eBay automatically.
- Redirects the user from eBay to another web page, such as using the "replace" script.
I.e., the above guidelines do not seem to preclude the use of any JavaScript on a listing page. And there are sites that provide scripts to be used in eBay listings, e.g., Script Snips at Auction Repair .
