Page 3 of 4

Re: Adding Javascript to eBay listing code

PostPosted: Sat Aug 04, 2018 1:51 pm
by fastpass
I have had a LastPass support ticket open for probably a year, with much back-and-forth about LastPass injecting Javascript into Ebay listings.

There are a dozen or more threads about this in the Ebay seller forums.

The LastPass Javascript is readily visible in the HTML editor window of the Ebay listing. (I have sent this many times to LastPass.) Ebay used to publish it visibly in listings, but inserted a Javascript checker last year. I routinely get Ebay warnings to clean the LastPass Javascript out of my listings, that's Ebay's fix.

To say the least, this is inconvenient.

To my knowledge, LastPass has done nothing about this. Why the LastPass plug-in chooses to post LastPass Javascript in an Ebay editor window -- I haven't seen this in an authoring window anywhere else -- is known only to LastPass. ( I use Firefox on Mac desktop.)

To me, this is an indication LastPass is not as attentive to security issues as it should be. Why would it want any amount of its coding to be exposed?

Re: Adding Javascript to eBay listing code

PostPosted: Sat Aug 04, 2018 3:49 pm
by FlyingHawk
fastpass Wrote:To me, this is an indication LastPass is not as attentive to security issues as it should be. Why would it want any amount of its coding to be exposed?

These javascript code are intentionally injected, not accidentally "leaked". As far as LastPass is concerned, it's not a security issue.

Plus, anyone can see all of LastPass extension's javascript code. Exposed code is not a security issue.

Re: Adding Javascript to eBay listing code

PostPosted: Sat Aug 04, 2018 5:40 pm
by fastpass
Why would LastPass post any kind of code in an Ebay listing? What purpose does this serve for LastPass?

This code is not injected in any other kind of edit window that I've seen.

Re: Adding Javascript to eBay listing code

PostPosted: Sat Aug 04, 2018 8:03 pm
by FlyingHawk
LastPass inject javascript code into some webpages to help locate username/password fields and achieve autofill. That the code got into the edit window is probably just an unfortunate side effect.

Re: Adding Javascript to eBay listing code

PostPosted: Sat Aug 04, 2018 10:44 pm
by fastpass
There are no fields to autofill, no username or password field, on an Ebay listing form. The code is injected into an edit window for a listing. LastPass is an uninvited visitor.

As I've said before, the code from LastPass is not injected into edit windows on any other form, including those that appears on pages where there is a username or password field. This behavior is peculiar to LastPass in relation to Ebay only.

You're talking through your hat, as we say.

Re: Adding Javascript to eBay listing code

PostPosted: Sat Aug 04, 2018 11:27 pm
by FlyingHawk
What part of "unfortunate side effect" do you not understand? I didn't say it's correct behavior.
LastPass injects this code into *every* ebay webpage in order to *find* login fields if any exists. It doesn't know a priori if login fields exist on the page.
It just so happens that in the listing editing page, the code somehow ended up in the edit window.

I was only replying to your question of why LastPass does this, and why it's not a security issue. I was NOT commenting on the more general problem of the code ending up in listings.

Re: Adding Javascript to eBay listing code

PostPosted: Sun Aug 05, 2018 12:55 pm
by fastpass
Why does LastPass choose Ebay for this behavior? As I said before, it does not appear in any other edit window on any other site or platform.

It is certainly a bug in LastPass that has been ignored for years. Clearly, you're not an Ebay seller or you would know how annoying this is.

Re: Adding Javascript to eBay listing code

PostPosted: Sun Aug 05, 2018 3:27 pm
by FlyingHawk
Presumably because it's a bit difficult to find and autofill ebay's login fields. Some other sites also have site-specific injected code, e.g. PayPal, Spotify.

Again, I'm only answering technical questions. I'm not commenting on the overall problem. Whether I'm ebay seller or not has no relevance.

Re: Adding Javascript to eBay listing code

PostPosted: Tue Aug 07, 2018 3:34 pm
by fastpass
FYI, for those who wish to be fully informed about the fields on the Ebay Web page in question instead of piping theories through their nether regions, here's a screenshot of the page https://drive.google.com/open?id=14cH8V ... 5o6CPlsGHx

There are no log-in fields whatsoever on this page. The red arrow indicates the HTML tab of the Edit window, where LastPass deposits its unwelcome Javascript.

As a matter of fact, here it is in this new test listing:

https://drive.google.com/open?id=1OTo0N ... wzrhJ6mA6m

Re: Adding Javascript to eBay listing code

PostPosted: Tue Aug 07, 2018 3:48 pm
by FlyingHawk
Whether or not there's login fields on the page has no relevance.
As I said before, part of the purpose of the code is to find out whether there's a login field. Injected code is site-specific, not page-specific.