Fleabay still vulnerable, but don't worry they have no plans to fix...er, what?

Author
Post
Essentials Only Full Version
ston
Max Output Level: -71 dBFS
  • Total Posts : 965
  • Joined: 2008/03/04 12:28:40
  • Status: offline
2016/03/02 08:25:14 (permalink)

Fleabay still vulnerable, but don't worry they have no plans to fix...er, what?

Javascript lols on the bay of fleas!
 
What's that you say, ad-hoc script execution without using any alpha-numeric characters?
 
Yup:
 
http://thedailywtf.com/ar.cles/bidding-on-security
 
blog.checkpoint.com/2016/02/02/ebay-platform-exposed-to-severe-vulnerability/
 
This is no crypto-breaking or man-in-the-middle style of exploitation, this is running ad-hoc java script directly on the client (i.e., your) machine by using a rather nasty JSF**k trick.  The exploit could embed malicious code within legit fleabay pages which are delivered to you and neither the server nor you would be any the wiser.
 
Personally, I am going nowhere near fleabay until they've addressed the problem.
 
 
#1

5 Replies Related Threads
    craigb
    Max Output Level: 0 dBFS
    • Total Posts : 41704
    • Joined: 2009/01/28 23:13:04
    • Location: The Pacific Northwestshire
    • Status: offline
    Re: Fleabay still vulnerable, but don't worry they have no plans to fix...er, what? 2016/03/02 10:40:18 (permalink)
    ston
    Personally, I am going nowhere near fleabay until it becomes a viable way to sell things like it was in the beginning.
     



    My take.

     
    Time for all of you to head over to Beyond My DAW!
    #2
    ston
    Max Output Level: -71 dBFS
    • Total Posts : 965
    • Joined: 2008/03/04 12:28:40
    • Status: offline
    Re: Fleabay still vulnerable, but don't worry they have no plans to fix...er, what? 2016/03/03 11:41:43 (permalink)
    Wait, you can sell things there? :-)
     
    I've never tried tbh, I tend to Give Away With Extreme Prejudice things that I no longer need, i.e. when the space they're occupying becomes more valuable than the thing doing the occupying.
     
    I shouldn't worry too much about the exploit tbh; I'm saving all my energy up to worry about the $%&@#! DROWN TLS-breaking bug caused by exploiting 1990's SSLv2 tech which many servers still support (why?!)  Don't worry, only about a 3rd of ALL servers are vulnerable.
     
    For those with Marvin-esque sized brains: https://drownattack.com/drown-attack-paper.pdf
    #3
    craigb
    Max Output Level: 0 dBFS
    • Total Posts : 41704
    • Joined: 2009/01/28 23:13:04
    • Location: The Pacific Northwestshire
    • Status: offline
    Re: Fleabay still vulnerable, but don't worry they have no plans to fix...er, what? 2016/03/03 13:38:53 (permalink)
    67% is a better chance than in Vegas though!

     
    Time for all of you to head over to Beyond My DAW!
    #4
    Moshkito
    Max Output Level: -37.5 dBFS
    • Total Posts : 3765
    • Joined: 2015/01/26 13:29:07
    • Status: offline
    Re: Fleabay still vulnerable, but don't worry they have no plans to fix...er, what? 2016/03/10 10:11:54 (permalink)
    Hi,
     
    Hey ... the Coffee House is TRUTHY!

    Music is not about notes and chords! My poem is not about the computer or monitor or letters! It's about how I was able to translate it from my insides! 
    #5
    jamesg1213
    Max Output Level: 0 dBFS
    • Total Posts : 21760
    • Joined: 2006/04/18 14:42:48
    • Location: SW Scotland
    • Status: offline
    Re: Fleabay still vulnerable, but don't worry they have no plans to fix...er, what? 2016/03/10 11:26:39 (permalink)
    craigb
    ston
    Personally, I am going nowhere near fleabay until it becomes a viable way to sell things like it was in the beginning.
     



    My take.




    Haven't sold anything for a good while, it's just a minefield for sellers now and the Ebay/Paypal fees have become prohibitive IMO.

     
    Jyemz
     
     
     



    Thrombold's Patented Brisk Weather Pantaloonettes with Inclementometer
    #6
    Jump to:
    © 2025 APG vNext Commercial Version 5.1