> The vulnerability centres around users' ability to place custom Javascript and Flash content into their listings pages.<p>Wait, what? Is that true? If so, how could anybody think that allowing the user to place custom Javascript in their listing pages is a good idea in this day and age?
Why is eBay not using sandboxed iframes for the auction description/content?<p>You dont need JS to make amazing looking listings. Just look at all the customized subreddits with crazy stuff going on utilizing just CSS/HTML. All the 'tracking' needed for ebay listings could easily be done with a pixel as well.
Does anyone else remember when Flash could execute arbitrary Javascript in the containing page? That was super fun.<p>Attempting to sandbox user-supplied Javascript just seems like an exercise in futility.
The previous bbc article regarding this never stated that ebay allows users to embed javascript and flash into listings. No wonder they are having issues with xss.
Yea, it is funny that PayPal has a security bug bounty program but eBay don't. I think you can thank David Marcus and Bill Scott of PayPal for that.
"When customers clicked on a listing that had been compromised, they were brought to a sophisticated, official-looking site that asked victims to log in and share bank account details."
Please. One glance at the URL ("vip-ohota.com.ua") and the fact that it's not SSL reveals that something fishy is going on. This is very, very basic, even non-tech people should look at the URL when they enter their information. You wouldn't tell a stranger your credit card number, you'd make sure you're talking to the right person.