Following on from the BBC press about eBay XSS vulnerabilities and several hundred listings being identified as phishing directly from the eBay site, we thought we should poll the experts for some opinions.
How a ban on active code would impact your custom listing design
Is HTML5 the answer?
The designers tell us that HTML5 is not yet 100% compatible on eBay and even if it was, it would not allow for some of the functionality that you see available in descriptions or shops today. Plus of course HTML5 relies on the user having a bang up to date browser or it simply won’t be supported.
You might think it’s a great way to force users to update their browser, but go to http://html5test.com/ and you’ll find your (hopefully) up to date browser doesn’t fully support HTML5 yet. As for older devices in which we must include internet enabled TVs, Game Consoles and a plethora of smartphones and tablets which can’t be upgraded to the latest versions and you can see it’s a bit of a problem.
Perhaps a solution may be a ban on all active code except that specifically tested and approved by eBay. If they could work with the listing design companies their code could be approved, but of course there are hundreds of smaller companies who’s code could be banned, not to mention the sellers who code their own listings.
But what they must do is:
1) restore and maintain a stable trading platform
2) repair the damaged perception in the eyes of all users as to the security of their personal data.
There would appear to be an ongoing credibility gap.
The call to ban these things is shrill and the kind of thing you’d expect from the Daily Mail.
The numbers of compromised listings — the Defect Rate, if you will — is tiny. We’re talking a few hundred listings out of millions.
It’s about the same rate as the amount of fraud on Paypal. Are we suggesting Paypal should be banned from eBay listings? It’s about the same rate as fake tenners. Are we suggesting they should be taken out of circulation?
Just because there are a few bad buildings you don’t tear down and entire city. eBay can police the listings with relative ease, and perhaps — just perhaps — users can grow-up a little and take their own personal responsibility for not entering their passwords into phishing sites.
Doesn’t matter about the defect rate, end of the day it’s not a complicated attack and eBay are currently allowing the phishing of username and passwords direct on their own website and it has been going on since February at the earliest.
Just describe the product, that’s all you need to do along with some basic design to make it look a little more professional and easier to read.
My comments on Java are a bit off, but yeah there really is no need for it on eBay. Most people have browsers that can handle most HTML 5 functionality
The BBC and the lefties in society annoy me – they have nothing better to write about. There is nothing wrong with ebay, its more about people who are so brain dead they give their passwords away or click on fishing links – they deserve to get their accounts hacked
What has this got to do with “lefties” ?
Nothing wrong with eBay; think that joke won the best joke of the Fringe award.
Also people stupid enough to click on the links? What links. It’s a complete redirection to a perfect copy of the eBay log in page by simply clicking on the item from the search function in eBay.
Finally left wingers are usually the ones to decry over-policing ;)
“The BBC and the lefties in society annoy me – they have nothing better to write about”
Yet according to another poster on the thread:
“The call to ban these things is shrill and the kind of thing you’d expect from the Daily Mail.”
Covers a wide political spectrum it would seem
Just waiting on the inevitable comparison to Nazi Germany
The problem is that eBay allows obfuscated code, which people like Frooition use to include external files even though it’s not allowed. eBay’s system is either too basic to detect these exploits or we have to assume they condone it because they have allowed companies to do it for years.
Look at the source of a Frootion template, like the Laura Ashley shop, and see the techniques they use to include external files. Stuff like this:
var az = “SC”;
var bz = “RI”;
var cz = “PT”;
Then they concatenate them to output “SCRIPT”.
Once you start allowing exploits then it becomes a nightmare to manage – eBay could make a change to their code which breaks millions of listings. Also it becomes harder, although by no means impossible, to detect malicious code.