The dreaded XSRF cross site request forgery exploit is still uncorrected on ebaY. That means extreme risk to both ebay and Paypal users.
Let’s begin way back in 1999. This phylum of flaws (cross-site/scripting) has existed on ebay since before there were terms coined for it. I produced a quick & dirty video outlining not only that, but how ebay sought to make a public relations play by announcing the removal of sellers’ ability to use active scripting elements in the user generated content of ebay listings, then quietly reversed the decision, and buried that news on a backwater blog. You can cut to the quick by clicking the more info area of the video and following the links.
We blogged this vulnerability back in September. Yet if you follow the links there, you see the flaw actually existed for 3 years.
Now to the present day…