eBay Germany modified its policy on the use of Javascript after a German TV news show reported a security flaw on the site. Sat1 reported in late September that a computer hacker found and reported the security flaw to eBay over a year ago.
AuctionBytes contacted eBay on September 28 after the show aired. eBay spokesperson Hani Durzy said there have been no hacks into the eBay database, and believed the reports referenced a Javascript or active content vulnerability.
Durzy said that theoretically someone could place Javascript in an eBay listing so when a visitor clicks on the bid button, they are taken to a non-eBay site without their knowledge. Durzy said "while technically it is possible to do, we rarely, if ever, see it in the site."
"We have developed technology to let us look at the site for malicious code," Durzy said, "although it's not 100 percent perfect. The potential has always been there, but we've not heard of it affecting any eBay users."
Durzy advised eBay members to use the eBay Toolbar, which has a feature that indicates whether users are on the eBay site or not, and to use up-to-date anti-virus software.
The U.S. Computer Emergency Readiness Team Web site explains that "A popular type of attack that relies on JavaScript involves redirecting users from a legitimate web site to a malicious one that may download viruses or collect personal information." (http://www.us-cert.gov/cas/tips/ST04-012.html)
eBay Germany changed its policy surrounding the use of Javascript in auction listings on Friday, October 1. eBay Germany recently made headlines regarding security issues when a German teenager allegedly redirected certain parts of the eBay Germany site to a different domain name server.
German-language Heise On-Line has also been following the story (http://www.heise.de/security/news/meldung/51511).
http://www2.ebay.com/aw/de/20041001143658.html
Mark O'Neill contributed to this article.
