Swindlers using new CSS method attack eBay
Swindlers have apparently managed to manipulate descriptions of goods on eBay so that they can change or overwrite any item numbers and the advertiser's email address. This hasn't just misled bidders: it's thought that eBay's measures to protect against fraudulent auctions have been outsmarted.
The swindlers use a cross-site scripting attack in conjunction with the XML Binding Language (XBL), which allows elements in an HTML document containing scripts, style sheets and other objects to be linked to another web site. However, precisely where the error lies is still unknown.
eBay now claims to have eliminated the problem on its pages, while Firefox's developers are thinking about developing a patch to contain it. However, they point out that this attack doesn't exploit a vulnerability in the browser, nor, for example, does it violate the same-origin policy. On the contrary, they say, the danger of content being embedded from other pages has been known for years, and eBay simply ought to improve its filtering, or checking, of downloaded content.
Other pages that permit the embedding of code and the reloading of CSS are also affected by the problem. Its claimed that Internet Explorer versions 6 and 7 are vulnerable to such attacks.