B10m recently found some issues in eBay. eBay allows JavaScript in certain contexts according to their website. According to B10m the small security issue is now patched. Allowing JavaScript really makes website security difficult, but I’m glad they were so on top of it. Here’s B10m’s email:

Hello,

Recently I discovered an exploit on eBay[1]. Unfortunately, eBay didn’t reply to me, but only after publication on the Dutch e-zine WebWereld[2].

They did, however, patch this little hole now, but still allowing Javascript…

It’s patched for now, but maybe still nice to see (I did link to your site

1. http://menno.b10m.net/blog/blosxom.cgi/2006/09/25#ebay-xss
2. http://webwereld.nl/articles/43086/nederlander-ontdekt-xss-lek-in-ebay-sites.html

Glad to see it fixed, and I’m glad B10m gave them a chance to fix the issue. Finding these issues before the bad guys do is the name of the game (that’s why the web app scanner community exists at all). Raising awareness is never a bad thing. And yes, B10m, it’s still nice to see - even after the fact. Especially since the vectors mentioned were of the more obscure (where websites allow JavaScript but try to limit it).

Likewise the other day a redirect hole was found in Visa on the redirects disclosure thread. Within a few minutes (literally) the redirect in Visa was taken down and replaced with a page explaining that the link may be a phishing scam. Talk about on the ball! I was really impressed at how quickly they were able to do this. Big websites are always targets for good and bad guys alike - but it’s amazing how quickly these issues are getting patched. Clearly someone is paying attention. It’s better if we are the ones finding this than the phishers who aren’t nearly as gentle, and it’s a great feeling to know how important these issues are to companies with whom we all do business.

This entry was posted on Friday, September 29th, 2006 at 8:44 am and is filed under XSS, Webappsec, Phishing. You can leave a response as well.