eBay's Persistent XSS Vulnerability

In 2016, security researchers discovered a persistent XSS vulnerability on eBay that potentially exposed millions of users to attacks. The vulnerability existed in eBay's product listing system, where sellers could include malicious JavaScript in their item descriptions. Despite eBay's filters, attackers found ways to inject scripts that would execute when users viewed the listings. This stored XSS vulnerability was particularly dangerous given eBay's massive user base and the trust users place in the platform.

The technical details revealed multiple security failures. eBay's content filtering system failed to properly sanitize certain HTML attributes and encoded payloads. Attackers could use various obfuscation techniques to bypass filters, including Unicode encoding, HTML entity encoding, and creative use of legitimate HTML features. Some proof-of-concept attacks demonstrated the ability to steal session cookies, redirect users to phishing sites, or modify the appearance of listings to conduct fraud.

What made this vulnerability particularly concerning was its persistence over time. Security researchers reported similar XSS vulnerabilities in eBay multiple times over several years, suggesting systemic issues with the platform's approach to content sanitization. Each time eBay patched specific vulnerabilities, researchers found new bypass techniques. This cat-and-mouse game illustrated the challenge of retrofitting security into complex, legacy systems and the importance of secure-by-design architecture.