Ebay Login - False Positive???

Posted by: polonus
« on: Nov 17 at 12:50:05 AM »

Various AV will return it as clean, but we see no best policies followed here

The subject of this thread was “Ebay Login - False Positive???” So is Avast posting a False Positive?

As an additional protection from java script redirect type malware do you recommend using a browser extension in Firefox like NoScript? If this malware, JS:Redirector-BMU [Trj], were real, would an extension like NoScript stop it? The reason I ask is that today with NoScript active, Avast does not flag a threat warning when I get to the Ebay login page. If I turn NoScript off, Avast flags the threat “We’ve safely aborted connection to www.ebay.com because it was infected with JS:Redirector-BMU [Trj].”

Будет ответ то какой?
Аваст, хром, лиса, опера все ругаются на js:redirector-bmu когда пытаюсь авторизоваться
https://www.virustotal.com/ru/file/84b5b0825e844669ff4021a3c5b650f66a0eb6ee23c71c8d9fa461198bceef7c/analysis/1542467129/

Please post English here, else use the forum section for your language.
https://forum.avast.com/index.php?board=21.0

Also consider these scan results: https://webcookies.org/cookies/www.ebay.com/20254066
a -12 security score… also consider: https://webcookies.org/ssl/report/www.ebay.com/15798
Error here: hint #1: ‘content-type’ header media type value should be ‘text/javascript’, not ‘application/javascript’;
Static resources should have a long cache value (31536000) and use the immutable directive: public, max-age=0;
Response should be compressed with Brotli when Brotli compression is requested over HTTPS

But no security implications seen there. Do we have to reackon with an AVG/avast FP in this case?
I see a retirable library here: https://retire.insecurity.today/#!/scan/92018e8cedcf9a9e4204faa410bf76be8a80dac2e5fd8929118a0f0727f6baaf

Domain is not malware free no way: https://www.virustotal.com/#/domain/www.ebay.com

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

polonus - my apologies. I did not notice that at the bottom of each of your posts you say "Use NoScript, a limited user account and a virtual machine and be safe(r)!" Thanks for this advice.

Hi rfkco,

You’re welcome. Yep, NoScript and also uMatrix for that matter are solutions that will always work both for present and even for future (3rd party) script threats. Giorgio Maone presented a wonderful tool for us all to keep us much more secure inside the browser. We all know that JavaScript can be the royal way into your device’s OS for malware, adware, bloatware and potentially unwanted code.

Only if users were more aware of the benefits like we are, it would be much more secure under everyone’s browser-hood.

Have a nice day and again thanks for reporting here, stay safe and secure both offline and online,

polonus

polonus, NoScript plugin for FF blocks ebay

I don’t know why that would be the case. Given eBay is a very high traffic site, that NoScript would want to block.

That said, we would need more details, screenshot or the wording to see why.

I no longer use NoScript (uBlock Origin) so I can’t check. However, you should be able to change NoScript to allow it. But I wouldn’t do that until we find why it is blocked.

Hi DavidR,

I do not use NoScript nor uMatrix in a browser, that I came to appreciate some time ago for it’s effectiveness and that is Avast Secure Browser. Whenever for out of the ordinary requests and scanning I browse browsers like Iridium, beaker or Brave.

NoScript and uMatrix also always have been a bit outside the scope of the common browser user, that do not know how and why to toggle such extensions to be secure under all circumstances. I mean to know what main and third-party scripts to block and not allow or not to block and to allow.

Some links from ebay are being blocked for me like: -https://pagead2.googlesyndication.com/pagead/osd.js & -https://pagead2.googlesyndication.com/pagead/osd.js but more as ads are being blocked…

See some of the privacy hick-ups at ebay’s: https://privacyscore.org/site/117501/

  1. See all known 3rd party scripts and known trackers, 24 & 9.
  2. Find that server is vulnerable to secure-client-initiated renegotiation,
  3. Find that no referrer-policy header is being set.
  4. See server is vulnerable to the SWEET32 attack.

Damian

@ polonus
Off Topic:
Since I can’t use Avast Secure Browser on all systems, I won’t be installing it on any. Plus I’m still not a fan of Chrome or chromium based browsers.

Back On Topic:
I certainly wouldn’t say NoScript is particularly complex.
I never mentioned uMatrix which is more complex, like the RequestPolicy add-on that I also used in the past.

Hi DavidR,

Agree with you that not having Avast Secure Browser brought to Google-Android for instance is unfortunate, as Brave browser has been brought there, and I use it a lot on mobile’s. Even so as Avast Secure Browser is a chromium based browser of sorts. :smiley:

uMatrix is not particularly complex either, just allow minimal settings to let the page function properly and know what sites to shun.

pol

This is certainly not a false positive, the detection was triggering a redirection script.
However, as this is on ebay, I will let it pass and disable the detection, but if anyone from ebay is reading this, beware that I am strongly against this behavior!

Hmm…As upset as I was about this, If this is the case
We users would want Avast to stand the ground
We also would “strongly object to this behavior”
I hope they lost a lot of money with this. > :frowning:

To support this above vision, I recently scanned at Zulu Zscaler’s, which results agree delivering a VirusTotal Content Check,
that produces a Positives count of 3 with a risk score of 30; all this for the code at
-hXtps://www.ebay.com/rdr/js/s/rrbundle.flat.min.js.

However the above risk grade does not lead to a VT flag by any of the known av-solutions.
A risk score of 30 denotes that application/javascript; charset=UTF-8 here is questionable to say the least,

polonus