How eBay is combatting cross-site scripting announcement

This afternoon eBay have made an announcement about how they tackle the so-called “cross site scripting” that we wrote about on Tamebay a few weeks ago. They explain the level of the risk and what they are doing to tackle it.

Perhaps most notably eBay note that they will not be changing site rules to prevent the use of Flash or Javascript on the site because the value of that is greater than the risk of a few dodgy listings.

We reproduce the announcement here verbatim. You can view it on eBay here.

***How eBay is combatting cross-site scripting***

Lynda Talgo – Vice President of Global Managed Marketplace

When we became aware of reports about eBay customers being vulnerable due to cross-site scripting, we took these claims extremely seriously – nothing is more important than the trust of our customers. We quickly conducted an internal investigation to ensure the processes and policies we have in place are properly addressing this issue.

What is cross-site scripting?
eBay allows the use of active content on our marketplace, including Java Script, Flash, links, videos and pictures to enrich the buyer and seller experience. Examples include the ability for sellers to cross-merchandise items, personalize and brand eBay stores, incorporate videos into listings, provide links to eBay stores and scroll/zoom pictures in the item description.

While both sellers and buyers benefit from active content, we are aware that active content may be used in abusive ways. In particular, the practice of cross-site scripting – carried out by criminals – is an issue that affects sites that allow active content across the Internet.

How common is cross-site scripting on eBay?
It’s important to understand that malicious content on our marketplace is extraordinarily uncommon, which we estimate to be less than two listings per million that use active content on the eBay marketplace.

How we combat the use of malicious code
· We have a multi-level security system designed to detect the use of malicious code on our marketplace
· We employ technologies that prevent sellers from using certain kinds of active content in their items descriptions.
· We also apply technologies that support us in identifying malicious content in listings and take the appropriate actions to remove.

We remove the vast majority of listings containing malicious content within one hour of detection.

After a recent review of our processes and policies, we believe the benefits of allowing active content to our customers outweigh the extremely low likelihood of being exposed to them.

Committed to your safety

We’re fully committed to our millions of customers, and you can count on us to remain steadfast in our efforts to provide a safe and secure marketplace for buyers and sellers around the world.

Any customer who spots a listing of concern can use the ‘report item’ function at the bottom right of the listing page.