XSS allowed on eBay members pages

Hey everyone. Today I would like to disclose an XSS vulnerability present on members.ebay.com which the security engineering team at eBay.com do not classify as a security issue.

If you wish to test the PoC, you must have an eBay account.

This is the logic behind the vulnerability:

(1) eBay allows for users to create their own "member" pages which can contain HTML
(2) When HTML with JavaScript such as "<script>alert(document.cookie)</script>" is submitted they actively prevent it from being used on the member page. See gif below:

(full report with visual documentation at link   ^ )

The comedy here is:

Thank you again for your report.

 

We are closing this ticket since this is one of the functions where we allow users submit active content to customize their 'about me' pages as long as there isn't any violation against the (http://pages.ebay.com/help/policies/listing-javascript.html). This is mentioned in the about me policy:http://pages.ebay.com/help/policies/listing-aboutme.html

 

Our discovery team continually monitors user accounts and if there is any violation against the eBay policy, the user account will be suspended.

 

We welcome further submissions, and if they are true vulnerabilities to our eBay community we will gladly add your name to the site once the vulnerability is resolved.

We are closing this case without further action.