The dreaded XSRF cross site request forgery exploit is still uncorrected on ebaY. That means extreme risk to both ebay and Paypal users.

 

Preface:

 

Let’s begin way back in 1999. This phylum of flaws (cross-site/scripting) has existed on ebay since before there were terms coined for it. I produced a quick & dirty video outlining not only that, but how ebay sought to make a public relations play by announcing the removal of sellers’ ability to use active scripting elements in the user generated content of ebay listings, then quietly reversed the decision, and buried that news on a backwater blog. You can cut to the quick  by clicking the more info area of the video and following the links.

 

Moving forward.

 

We blogged this vulnerability back in September. Yet if you follow the links there, you see the flaw actually existed for 3 years.

 

 

Now to the present day…

(more…)

Published on Sep 16,
2013

eBay are currently vulnerable to XSRF –
allowing any other web site to alter your profile information and
gain access to your account.

Also very noteworthy, (more…)