Share:
POST
TWEET
SHARE
SHARE
EMAIL

How eBay is combatting cross-site scripting announcement

By Dan Wilson October 13, 2014 - 4:19 pm

This afternoon eBay have made an announcement about how they tackle the so-called “cross site scripting” that we wrote about on Tamebay a few weeks ago. They explain the level of the risk and what they are doing to tackle it.

Perhaps most notably eBay note that they will not be changing site rules to prevent the use of Flash or Javascript on the site because the value of that is greater than the risk of a few dodgy listings.

We reproduce the announcement here verbatim. You can view it on eBay here.

***How eBay is combatting cross-site scripting***

Lynda Talgo – Vice President of Global Managed Marketplace

When we became aware of reports about eBay customers being vulnerable due to cross-site scripting, we took these claims extremely seriously – nothing is more important than the trust of our customers. We quickly conducted an internal investigation to ensure the processes and policies we have in place are properly addressing this issue.

What is cross-site scripting?
eBay allows the use of active content on our marketplace, including Java Script, Flash, links, videos and pictures to enrich the buyer and seller experience. Examples include the ability for sellers to cross-merchandise items, personalize and brand eBay stores, incorporate videos into listings, provide links to eBay stores and scroll/zoom pictures in the item description.

While both sellers and buyers benefit from active content, we are aware that active content may be used in abusive ways. In particular, the practice of cross-site scripting – carried out by criminals – is an issue that affects sites that allow active content across the Internet.

How common is cross-site scripting on eBay?
It’s important to understand that malicious content on our marketplace is extraordinarily uncommon, which we estimate to be less than two listings per million that use active content on the eBay marketplace.

How we combat the use of malicious code
· We have a multi-level security system designed to detect the use of malicious code on our marketplace
· We employ technologies that prevent sellers from using certain kinds of active content in their items descriptions.
· We also apply technologies that support us in identifying malicious content in listings and take the appropriate actions to remove.

We remove the vast majority of listings containing malicious content within one hour of detection.

After a recent review of our processes and policies, we believe the benefits of allowing active content to our customers outweigh the extremely low likelihood of being exposed to them.

Committed to your safety

We’re fully committed to our millions of customers, and you can count on us to remain steadfast in our efforts to provide a safe and secure marketplace for buyers and sellers around the world.

Any customer who spots a listing of concern can use the ‘report item’ function at the bottom right of the listing page.

  • Tim
    3 years ago

    Really disappointed with their response. It doesn’t matter if its estimated (how do they estimate?) 2 listings every 1 million. That still means that there are two listings that will be live for possibly an hour which multiple people could click into and become a victim. I wonder the percentage wise, not just 2 every 1 million which is purposely said to try and make it look so tiny. I’m sure there’s millions of listings active each day.

    Its 2 in every million now but it can be exploited similar to what we saw with Youtube in the past where they were took over and the site was basically taken offline because there was too many videos being redirected.

    I personally wont purchase from eBay from now on, I’ll stick to Amazon. I only use eBay for niche things but now its just not worth the hassle.

    This would hurt new businesses starting on eBay considerably.I can’t imagine many people feeling confident clicking into listings from sellers with under 50 feedback.

  • Roger
    3 years ago

    Tim I think you are over reacting, in the last 2-3 years almost every large tech company has been hacked or defences breached in someway or another.

    Tim also as you are not keen on taking risks here some other numbers you may not like and may have to take in to count and re think you whole life.

    the odds of dying in a plane crash are 1 in 11 million [sources: Clarke, Ropeik]. The odds of dying in a car accident are around 1 in 5,000.

    I am guessing you will now be walking everywhere.

Recent Comments

5 hours ago
northumbrian: sorry this guy needs to be on his game not given a chance lots of ...
15 hours ago
Alan Paterson: He has only been with ebay a few months. Lets give the guy a chance...
18 hours ago
ifellow: Been saying that for 10 years. Rate rise wont affect inflation, because its not too...
1 day ago
Alan Paterson: Yes, but it is a percentage. 99.4% is still OK. Remember they have sold over...
1 day ago
Alan Paterson: @James above. Complete non-sense. Our business is doing just fine and we follow ebay rules....