Speaking of Javascript [was Re: Everything good about Python except GUI IDE?]
Chris Angelico
rosuav at gmail.com
Wed Mar 2 12:46:48 EST 2016
On Thu, Mar 3, 2016 at 4:05 AM, Steven D'Aprano <steve at pearwood.info> wrote:
> Speaking of Javascript exploits:
>
> http://thedailywtf.com/articles/bidding-on-security
>
>
> This is a real exploit, and Ebay have refused to fix it. Yay them!
>
> More here:
>
> http://blog.checkpoint.com/2016/02/02/ebay-platform-exposed-to-severe-vulnerability/
To be fair, this isn't a JS exploit; it's a trusting-of-trust issue -
eBay has declared that you can trust them to sanitize their sellers'
listings, and so you trust eBay, but this exploit gets past the
filter. You're no more vulnerable looking at one of those listings
than you would be going to a web site entirely controlled by the
attacker, save that (particularly on mobile devices) there are a lot
of people out there who'll say "Oh, it'e eBay, I'm safe".
ChrisA
More information about the Python-list
mailing list