Slashdot Mirror
The eBayla Virus
An anonymous reader linked us a
Tasty Bit from
Tasty Bits about the eBayla virus: an auction item that
contains some Java Script that will email your private eBay
info to the creator of the auction. Eek.
← Back to Stories (view on slashdot.org)
eBay is being ridiculous (also pigheaded and stupid and arrogant and other such things), threatening the guy who found the hole for them. When that sort of thing happens you fall on your feet fixing it, and then you (discreetly) fall on your feet thanking who found it.
If they were to take action against the finder (presumably to protect their own asses), they might find what it's like to get the derision of the broadly-variable security reseach field; that ranges from negative mention in papers few people read to script-kiddie holocaust.
Annoying too that the media's calling this a "virus," which it isn't, not even close.
>RANT< As a web user I find Javascript generally useless and slow.
It seems to me that 50% of the Javascript on the web is used to hilite a link when you move your cursor over it, which I think is absolutely useless. My cursor already changes when I move it over a link, and loading a button twice just to have it reinforce the cursor change is not how I want to spend my time.
Another 40% of the Javascript code out there opens annoying, useless "consoles" that take valuble screen space and rarely have any sort of meat to them.
The last 10% is a mixed bag consisting of opening up a homepage to a site when you leave the site (Really really irritating ones force you to kill the browser to get off the site); making forms more "interactive", where the most frequent offender is the pulldown menu that automatically jumps to whatever you select, nevermind if you get it wrong or don't have Javascript. Frequently these pages omit the "submit" button as well, irritating Lynx users to no end.
As if this isn't bad enough, Javascript is not exactly a solid standard, with Netscape and Microsoft implementing their own set of bugs and incompatibilities into each version of their browsers. "But this works on my machine at home and in the lab!".
In conclusion: Javascript does not add enough value to my web surfing experiance to counterbalance all of the negative issues associated with it. >/RANT<
I read the internet for the articles.
I think the name has little do to with what kind of code it is (virus vs. Trojan) and more with the soundbite-ness of it.
Ebola virus = eBayla virus, etc.
I know I'm being pedantic, but a lot of people are griping about the inaccuracy...
Jay (=
http://www.news.com/News/Item/0,4,353 21,00.html
The summary about eBay's response:
eBay acknowledged that the JavaScript exploit works, but minimized its importance.
"We know it's there, but you have to put it all in perspective," said eBay spokesman Kevin Pursglove. "We have a very open environment that lets individuals describe what they're selling, and JavaScript is there so people can make the best of their abilities to describe an item."
-- Bryan Feir
This is a serious problem eBay has to deal with..
But wouldn' it be funny if this guy logged on to eBay and offered this javascript for sale? Include a snippet of code, with the guarantee that the script isn't active, and sell to the highest bidder?
eBay would really have to get their butts in gear quick!
I hope he doesn't have to suffer for his service to humanity.
AS
-AS
*Pikachu*
But... What's important is what you don't see. Working on webpages, I view source. A lot. And most of the JavaScript I see, like most of the best software in any case, is transparent. It's doing stuff so pages look better for you. Just like any good piece of software. Go to Hotwired for another article about this Ebay thingy. One person comments that he can't believe Ebay allows Javascript in people's auction descriptions, which I have to say is a pretty salient point. I think Ebay should not only ban javascript, but all browser-specific HTML. Just think: Ebay could force all auctioneers to submit to HTML 4.0 standards, creating a new breed of >technically good web authors. (I use the term technically because AFAIK, HTML 4 doesn't standardize taste, thereby preventing nausea-inducing color combinations.)
Well, at least till EBay fixes it, all people have to do is disable javascript. I know I've been doing that for awhile. So those... Informational pop-up windows won't open when I close a page. Yeah, informational. -j
http://www.somethingpositive.net Funny + bitter = comedy gold
eBay says they won't hold people accountable for bids entered with a pilfered password.
How do they intend to determine whether the bid was entered legitimately?
Seems like a wide open excuse for someone who does want to back out "Wasn't me who entered that bid. Must be that eBayla 'virus.'"
Dumb decision on eBay's part. If they decide not to allow JavaScript they won't PO that many customers, but the press over this virus sure will.
eBay needs to be taken out and beaten severely for not taking this threat seriously. The potential for serious exploitation is huge, and I can't believe they're taking the stand that this is a minor challenge that won't affect most people.
Amongst the "cute" ideas I've read about below (that all seem immediately technically and socially possible):
- Virus idea. Take each login/pw pair and introduce new JavaScript bids that spread further.
- Redirection. No reason you can't take someone away from eBay, put up a "duplicate" site that requests credit-card info. Very few users regularly check their current address or security information, especially with a "well-known" site like eBay.
- Bid stealing. Immediately send information about bids to a third-party, which can be used to drive up the price to the maximum any user is willing to bid.
- Bid modification. Change all bids and triple the submitted price. With eBay's anal standards about bid-retrieval, this could be a major hassle.
Sheer stupidity. Whoever is in charge of their public relations/technical departments REALLY dropped the ball today (and whenever they decided that JavaScript was somehow necessary and acceptable in auction descriptions).