On Thu, Mar 3, 2016 at 4:05 AM, Steven D'Aprano <st...@pearwood.info> wrote: > Speaking of Javascript exploits: > > http://thedailywtf.com/articles/bidding-on-security > > > This is a real exploit, and Ebay have refused to fix it. Yay them! > > More here: > > http://blog.checkpoint.com/2016/02/02/ebay-platform-exposed-to-severe-vulnerability/
To be fair, this isn't a JS exploit; it's a trusting-of-trust issue - eBay has declared that you can trust them to sanitize their sellers' listings, and so you trust eBay, but this exploit gets past the filter. You're no more vulnerable looking at one of those listings than you would be going to a web site entirely controlled by the attacker, save that (particularly on mobile devices) there are a lot of people out there who'll say "Oh, it'e eBay, I'm safe". ChrisA -- https://mail.python.org/mailman/listinfo/python-list
