Speaking of Javascript [was Re: Everything good about Python except GUI IDE?]

[Chris Angelico]

On Thu, Mar 3, 2016 at 5:29 AM, Jon Ribbens
<jon+usenet at unequivocal.co.uk> wrote:
> On 2016-03-02, Chris Angelico <rosuav at gmail.com> wrote:
>> To be fair, this isn't a JS exploit; it's a trusting-of-trust issue -
>> eBay has declared that you can trust them to sanitize their sellers'
>> listings, and so you trust eBay, but this exploit gets past the
>> filter.
>
> This is true. It sounds like their filter is frankly bizarre,
> I can't imagine why it works the way that has been described.

Agreed. I also don't understand why they can't simply say "no <script>
tags permitted". By the look of the error message, they've been
playing whack-a-mole with exploits as they're found, rather than
actually designing for security.

>> You're no more vulnerable looking at one of those listings
>> than you would be going to a web site entirely controlled by the
>> attacker, save that (particularly on mobile devices) there are a lot
>> of people out there who'll say "Oh, it'e eBay, I'm safe".
>
> This however I don't think is true at all. eBay already has a great
> deal of data about its customers, if an attacker can hijack sessions
> and steal this data just from a user visiting a listings page then
> that isn't anything like visiting a random malicious site.

Hmm, maybe. But the description of the exploit talks of getting people
to click a button to install an app, which is something anyone could
do with full control of a web site; the value (to the attacker) of
exploiting the eBay filter limitation is that it slips it into an
otherwise-trusted web site (both from the human's point of view -
"this is eBay, it's fine" - and from a machine filter's - "yes, this
is the same site you thought you were on").

ChrisA