This news is from almost exactly 8 years ago. Softpedia reported 13 days later that eBay partially patched it, but the patch was insufficient. I could not find further updates, but I do know that eBay has since removed more advanced JavaScript (incl. JSFuck) from all listings in 2017.

“An attacker could target eBay users by sending them a legitimate page that contains malicious code,” Check Point researcher Oded Vanunu wrote in a blog post published Tuesday. “Customers can be tricked into opening the page, and the code will then be executed by the user’s browser or mobile app, leading to multiple ominous scenarios that range from phishing to binary download.”

To exploit this vulnerability, all an attacker needs to do is create an online eBay store. In his store details, he posts a maliciously crafted item description. eBay prevents users from including scripts or iFrames by filtering out those HTML tags. However, by using JSF**k, the attacker is able to create a code that will load an additional JS code from his server. This allows the attacker to insert a remote controllable JavaScript that he can adjust to, for example, create multiple payloads for a different user agent.

eBay performs simple verification but only strips alpha-numeric characters from inside the script tags. The JSF**k technique allows the attackers to get around this protection by using a very limited and reduced number of characters.

eBay has no plans to fix a “severe” vulnerability that allows attackers to use the company’s trusted website to distribute malicious code and phishing pages, researchers from security firm Check Point Software said.

In an e-mail sent to Ars after [their article] went live, eBay officials wrote: " "eBay is committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure. We have not found any fraudulent activity stemming from this incident.”

The e-mail added:

Also, it’s important to understand that we have been in touch with the researcher and have implemented various security filters based on his findings to detect this exploit. Since we allow active content on our site it’s important to understand that malicious content on our marketplace is extraordinarily uncommon, which we estimate to be less than two listings per million that use active content on the eBay marketplace.

  • Limeey@lemmy.world
    link
    fedilink
    English
    arrow-up
    24
    ·
    edit-2
    11 months ago

    Their response reminds me of a certain fight club quote…

    If X is less than the cost of a recall, then we don’t recall.

  • TonyTonyChopper@mander.xyz
    link
    fedilink
    English
    arrow-up
    14
    arrow-down
    1
    ·
    11 months ago

    We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure.

    Typical corporate PR just lying outright.The issue was known for 8 years

    • Aatube@kbin.socialOP
      link
      fedilink
      arrow-up
      6
      ·
      edit-2
      11 months ago

      The Ars article is also from 8 years ago, one day after the thing was published. The attack vector was removed in 2017.

  • wildginger@lemmy.myserv.one
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    3
    ·
    11 months ago

    Cool, no more ebay for me. Not really a loss, the site sucks, but now its not worth the risk to even browse

    • Aatube@kbin.socialOP
      link
      fedilink
      arrow-up
      6
      arrow-down
      1
      ·
      11 months ago

      The article’s from 8 years ago. The exploit’s probably patched now.

      • wildginger@lemmy.myserv.one
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        1
        ·
        11 months ago

        Why would you not include that in the body of your post that went into extra detail about how ebay was making statements about ignoring the exploit?

        And also, do you have any sources that confirm its been patched in any way? Because an exploit being old is not proof it doesnt exist anymore.