Speaking of Javascript [was Re: Everything good about Python except GUI IDE?]

[Jon Ribbens]

On 2016-03-02, Chris Angelico <rosuav at gmail.com> wrote:
> On Thu, Mar 3, 2016 at 5:29 AM, Jon Ribbens
><jon+usenet at unequivocal.co.uk> wrote:
>> On 2016-03-02, Chris Angelico <rosuav at gmail.com> wrote:
>>> You're no more vulnerable looking at one of those listings
>>> than you would be going to a web site entirely controlled by the
>>> attacker, save that (particularly on mobile devices) there are a lot
>>> of people out there who'll say "Oh, it'e eBay, I'm safe".
>>
>> This however I don't think is true at all. eBay already has a great
>> deal of data about its customers, if an attacker can hijack sessions
>> and steal this data just from a user visiting a listings page then
>> that isn't anything like visiting a random malicious site.
>
> Hmm, maybe. But the description of the exploit talks of getting people
> to click a button to install an app, which is something anyone could
> do with full control of a web site;

I think that's just a proof-of-concept sort of thing. There's much
more interesting things you can do than put up "download this exe
and run it" pop-ups if you can run arbitrary javascript in someone
else's domain.

> the value (to the attacker) of exploiting the eBay filter limitation
> is that it slips it into an otherwise-trusted web site (both from
> the human's point of view -"this is eBay, it's fine" - and from a
> machine filter's - "yes, this is the same site you thought you were
> on").

You can of course just register egay.com (or whatever) and hope for
the best (including putting an SSL cert on it).