question

InactiveAutoUser avatar image
0 Likes"
InactiveAutoUser asked

Risk of exposing the AppId when making calls from client side.

When working with the Finding API via javascript (or any client side technology for that matter), and making calls from the client side, the ebay AppId is public and exposed - It can be viewed just by looking at the page source, or by just opening fiddler and look at the outgoing requests.

 

So a malicious user can copy the AppId and start making calls to Finding API with it.

This seems bad because now the AppId could reach it's API call limit per day.

 

How can this be solved, and are there any other issues when exposing the AppId like so ?

 

 

 

 

finding-api
10 |600 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

jourbandts avatar image
0 Likes"
jourbandts answered

Hi,

You actually bring up a good point.  There are not really any issues other than what you mentioned, someone making calls using your AppID, but only certain calls use only the AppID.  Shopping and Finding API calls for example.  But they can't do anything else with it.  And to use our Trading API for example, they would need the other ID's that go along with it, so just the AppID is useless.  I don't have exact answers of NOT exposing URL information, but I am sure there are many ways to do so.  Maybe other people in the community have done this?  I would think not exposing your JavaScript directly.  Make the call from the server side and hide any information you want.

 

· 1
10 |600 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Adding to the confusion is this official Ebay tutorial using JavaScript and the Finding API.

http://developer.ebay.com/DevZone/javascript/docs/HowTo/GetUserProfile/GetUserProfile_Tutorial.htm

This tutorial leaves no doubt about exposing the AppId.

Just search for "appid" in the document.

If there was any real threat of exposing the AppId like so, than I assume the tutorial would mention it. But it doesn't. And still, the appId abuse I mentioned is possible.

0 Likes 0 ·
helios825 avatar image
0 Likes"
helios825 answered

I think the vulnerability of exposing one's AppID via Javascript is definitely not to be shrugged off. Sure, we're not talking about Trading API calls that require tokens, but a malicious user could grab your AppID and quickly exhaust your daily calling limit, preventing your own app from functioning, interfering in your business and frustrating your users.

 

This topic has come up a few times in the past, on the old eBay Dev forum. Here are some suggestions:

 

1) Avoid client-side altogether, if possible, and limit your API calls to private server-side scripting.

 

2) If you are going to expose your AppID via JS, try to use an AppID that has a low daily call limit (not a 1.5M call, API certified limit). In the past the limit was not parsed up across unique IPs, but now I think it's consolidated, so make sure 5K calls/day is enough for all of your JS deployments.

 

3) Have a few AppIDs (a handful of eBay Dev accounts) on hand. So, if one is stolen, you can release another/newer one. This depends on your JS polling for the day's/hour's current AppID to use, from your server.

 

4) Instead, proxy all JS calls through your server. The JS calls your server (no AppID exposed), and your server makes a back-end call to eBay's API to retrieve data. Process the data (strip it down, etc.) and return to the JS only what it needs. Be sure to implement some throttling to prevent abuse of your server. Also, I think there's some API legalese about not operating a direct-through proxy server to eBay's API, so you'd need to make sure you're not violating that.

 

· 3
10 |600 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Thanks for the post helios825.  Great bit of information!  And this is something we are not just shrugging off.  I will make sure to bring this up when we have any reviews.

0 Likes 0 ·

Thanks helios826 ! This is the kind of answer I was looking for. 

Hi  josh.developersupport. Can you tell us when this issue will be addressed, and where can we find updates about the issue ?

0 Likes 0 ·

There is no ETA as to when it will be addressed.  When I know more I will update this thread if applicable.  We also are trying to get something put up where developers can follow the latest news and etc, but that also in not in place and there is no ETA. 

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.