Speaking of Javascript [was Re: Everything good about Python except GUI IDE?]
Jon Ribbens
jon+usenet at unequivocal.co.uk
Wed Mar 2 13:29:33 EST 2016
On 2016-03-02, Chris Angelico <rosuav at gmail.com> wrote:
> To be fair, this isn't a JS exploit; it's a trusting-of-trust issue -
> eBay has declared that you can trust them to sanitize their sellers'
> listings, and so you trust eBay, but this exploit gets past the
> filter.
This is true. It sounds like their filter is frankly bizarre,
I can't imagine why it works the way that has been described.
> You're no more vulnerable looking at one of those listings
> than you would be going to a web site entirely controlled by the
> attacker, save that (particularly on mobile devices) there are a lot
> of people out there who'll say "Oh, it'e eBay, I'm safe".
This however I don't think is true at all. eBay already has a great
deal of data about its customers, if an attacker can hijack sessions
and steal this data just from a user visiting a listings page then
that isn't anything like visiting a random malicious site.
More information about the Python-list
mailing list