mam98031 • Volunteer Community Member • Buyer/Seller since 1999
ShipScript has been an eBay Community volunteer since 2003, specializing in HTML, CSS, Scripts, Photos, Active Content, Technical Solutions, and online Seller Tools.
This is a response to eBay’s claims that the new “Application Access” authorization is to repair the avatars and feedback that have been missing from the eBay community, originally posted here: https://community.ebay.com/t5/Share-Community-Platform/Intermittent-issues-on-Community-platform-mis...
The information mentioned is freely available to anyone. You do not need any form of application authorization to retrieve this information.
As evidence to back up this claim, I will have to give an explanation of exactly what these “Grant Application Access” messages are, how the eBay API works, and what information is freely available.
What is the eBay API?
The eBay API is basically a system that will allow software to communicate with eBay and exchange information/data. Much of eBay’s website uses the API to retrieve the information that it displays on the “My eBay” and “Sellers Hub” pages.
What information is available through the API?
In basic terms, there’s basically two classes of information that are available on eBay. For this explanation I’ll be calling them Public and Private.
For example, when you’re browsing eBay and looking at other users' listings, the information you’re seeing is “public”. This means anyone can see the information. You could see the item they posted, the photos, the pricing, etc.
In another example, if you go to revise your own listings, you’ll see all the “public” information that was shown, but since you’re logged in to your own account, you also have access to seeing additional information such as rate tables, handling time, promotion values, etc. This is the “private” information. Typically, you could only see “Private” information on your own account.
Some functions of eBay are private as well. If you try to create a new listing, that is considered a “private” function. Nobody else could create new listings for your store. Only you could.
What are these “Grant Application Access” pages?
Let’s say for example that I’ve created a piece of software to assist with creating listings, and checking recent orders to see if any of the listings that were created sold. We’ll say in this example that the name of this software was “ExListing Manager”
By default, “ExListing Manager” could use the eBay API to check information that is public.
Now you’ve learned about “ExListing Manager” and you’d like to try it. Once you’re registering for the software, it’ll direct you to a webpage that states:
“Grant Application Access: ExListing Manager”
If you agree to this request, it basically generates a token (let’s say like a password) that will allow “ExListing Manager” to access your private eBay data.
Prior to agreeing, if “ExListing Manager” attempted to create a listing on your store, it wouldn’t be allowed. But after you had agreed, it can send the request to create a listing to the eBay API, and it can now use the token, and eBay would allow the software to create the listing on your behalf.
“ExListing Manager” also is supposed to track if the listings it creates are sold. So it will also be using API to check your sold listings. It could check for notifications from the API with your token to confirm if an order is processing, and then typically once an order is paid, that would trigger the software to basically say “The item sold! Let’s increase the sold number by 1”.
How are we being lied to?
EBay had claimed that this new authorization for the eBay community was to restore the avatar images and feedback modules that had not been working for a couple months now. For those of us who have experience with the eBay API and know what the Application Access grants, we know this is a lie.
The store avatar images and feedback? Those are both pieces of PUBLIC information. You do not need any private access to retrieve these images. Just like how you could go to another sellers store page and see their images and feedback on the eBay website directly, software could do this with the eBay API without any special access.
To prove this, I’ve tested it myself. I browsed to the eBay homepage and one of the daily deals it’s giving me is for this listing: https://www.ebay.com/itm/202694169021
If I use the eBay API call “GetStore”, with this sellers name: “harmanaudio”, I do not have any “Application Access” for them. I will only be retrieving public information. The full information is quite long, but this is an excerpt from the results that I receive from the eBay API:
{
"$": {
"xmlns": "urn:ebay:apis:eBLBaseComponents"
},
"Timestamp": "2021-11-19T18:23:12.611Z",
"Ack": "Success",
"Version": "1177",
"Build": "E1177_CORE_API5_19110890_R1",
"Store": {
"Name": "Harman Audio",
"URLPath": "harmanaudio",
"URL": "http://www.ebay.com/str/harmanaudio",
"SubscriptionLevel": "CustomCode",
"Description": "Welcome to the official eBay store for the Harman family of brands: JBL, Harman Kardon, AKG, and Infinity. Shop premium wireless speakers, headphones, home speakers, car speakers, and more!",
"Logo": {
"URL": "http://i.ebayimg.com/00/s/MTE0WDIwMA==/z/FqcAAOSwdBRZg6by/$_1.JPG?set_11.JPG?set_id=807"
},
Sure enough, you could see in the “Logo” > “URL” section, there’s the avatar image. Again, I want to stress this is all public information freely available to the eBay API without any Application Access.
Then I could use the GetFeedback API call on the same store and here is another excerpt:
{
"$": {
"xmlns": "urn:ebay:apis:eBLBaseComponents"
},
"Timestamp": "2021-11-19T18:26:23.179Z",
"Ack": "Success",
"Version": "1201",
"Build": "E1201_CORE_APIFEEDBACK_19196963_R1",
"FeedbackScore": "197512",
As you could see, this information is all public, freely accessible information that does not require any form of Application Access.
And then for the URL links to others listings? You could literally do that with a URL and a simple store name:
https://www.ebay.com/sch/zamo-zuan/m.html?_nkw=&_armrs=1&_ipg=&_from=
Just change zamo-zuan to the username. You do NOT need the eBay API at all for this one!
The data already exists in the Community Forum servers
One more alarming thing is that we're being told this access is what's restoring the images. But if you take a look at existing posts in the dev console, you can see that the avatar images already exist on the Khoros/Lithium servers!
For the record, I retrieve that on another PC that was NOT logged in and NOT authorized! As you could see in the screenshot, the image already exists on the lithium server. No access to eBay is needed, and certainly not API access.
If the images already exist on the Lithium server, if we're not seeing them, then Khoros/Lithium itself is blocking us from seeing information on their own servers.
Yet we're being told that we need to approve access in order to see this information...?
So this brings me back to my original question…
Why is eBay lying to us about Application Access? What information is really being retrieved from our stores?
The only reason for Application Access would be to access any private information. What private information could the eBay Community possibly need?
Furthermore, they’re not even following their own terms, as they are supposed to be transparent about the reasons they’re requesting access in the Application Access request itself. It even states if you click for more information that “Additional capabilities as described to you in the application or by the application’s provider” - and the eBay community does NOT describe what additional capabilities are being accessed. And as mentioned, the reason we’re being given does not require this type of access.
To make things even worse, it says “Just go to my eBay if you change your mind”. I tried to go there to monitor our 3rd party authorizations, and the preferences page isn’t even loading to allow us to see what applications are accessing our accounts, or remove their access!
So what’s really going on here, eBay?
What private information is being accessed by the Community software?
Why is the request not even informing us of what is being accessed?
Why is the wool being pulled over community members' eyes?
Why are members being told reasons that could easily be debunked?
@zamo-zuan wrote:
@mam98031 wrote:Speaking for myself only, This problem was not fixed for me and many others before this pop up that we had to agree to in order to access the community.
Thing is, with how updates for software work, that experience is often an illusion. The forums had to have received an update to require access to login and cause the popup to appear. Any fixes would have coincided with this update.
Per testing, the forum no longer even allows your account to be logged in until you accept the popup. So it inevitably the first time you were logged in it would be fixed.
Key point here is, for those who ignored the agreement, it was discovered to be already fixed. Confirmed with multiple sources before posting here. I made sure everything in the OP was reproduceable before making the post.
While you used more words, we said mostly the same thing. And hopefully soon the pop up box will go away too. I am happy to see the Avatars and FB counts returning. They are of help sometimes when trying to help another member.
The community platform feedback would actually be the place for this issue because it relates to problems with the platform. Sheila is in charge of the community platform and she monitors the threads on her forum, so she is the one who needs to see the issues that have arisen with the login.
This thread has provided a wealth of information surrounding the login, and how it works, doesn't work, or misbehaves. And if the developers need more data, they can now look at the accounts of those who posted their disparate results (I have six accounts I can play with if necessary).
It is my understanding that the login will be addressed in the next major update a few months from now, and that there was a choice between providing the avatar/feedback/links in each post, or fixing the login issue. Because the Mentors (a volunteer customer service group of eBay members dedicated to helping thousand of sellers each day) had the loudest voice in expressing supreme difficulty in helping members, the Mentors won out, and the login was pushed to the next rollout. Without the feedback link next to each post, Mentors could not even determine country or buyer/seller status, and could not easily review the issues behind the poster's complaint. It was so bad that I developed a 3P tool to help Mentors retrieve that data, which helped somewhat, but was still a bit copy/paste cumbersome.
I hope those who have posted here will understand the pressure to bring back the avatar/links first and then leave the login issue for the second round.
Of course, I am still wondering why the login was required to retrieve public data.
Hi @valueaddedresource - chiming in on this to say that there is a current technical issue that is preventing third-party access from being visible in some browsers (I've added folks who say they're impacted to the open ticket).
As to the 'why' of this change - I'm not technical so I can't really speak to the in-depth analysis that @zamo-zuan has done. I can say that this was the fix that we could get implemented now as opposed to Q1, so it was what we went with.
I agree with @shipscript that moving the thread to the platform feedback board was the appropriate course of action given the topic, and also want to clarify that anyone can report a thread to the mod team if they feel it is on an incorrect board. Just because a thread has been moved does not mean that a member of the Community Team has read and reviewed it.
Thanks!
Featured Posts
