ShipScript has been an eBay Community volunteer since 2003, specializing in HTML, CSS, Scripts, Photos, Active Content, Technical Solutions, and online Seller Tools.
This is a response to eBay’s claims that the new “Application Access” authorization is to repair the avatars and feedback that have been missing from the eBay community, originally posted here: https://community.ebay.com/t5/Share-Community-Platform/Intermittent-issues-on-Community-platform-mis...
The information mentioned is freely available to anyone. You do not need any form of application authorization to retrieve this information.
As evidence to back up this claim, I will have to give an explanation of exactly what these “Grant Application Access” messages are, how the eBay API works, and what information is freely available.
What is the eBay API?
The eBay API is basically a system that will allow software to communicate with eBay and exchange information/data. Much of eBay’s website uses the API to retrieve the information that it displays on the “My eBay” and “Sellers Hub” pages.
What information is available through the API?
In basic terms, there’s basically two classes of information that are available on eBay. For this explanation I’ll be calling them Public and Private.
For example, when you’re browsing eBay and looking at other users' listings, the information you’re seeing is “public”. This means anyone can see the information. You could see the item they posted, the photos, the pricing, etc.
In another example, if you go to revise your own listings, you’ll see all the “public” information that was shown, but since you’re logged in to your own account, you also have access to seeing additional information such as rate tables, handling time, promotion values, etc. This is the “private” information. Typically, you could only see “Private” information on your own account.
Some functions of eBay are private as well. If you try to create a new listing, that is considered a “private” function. Nobody else could create new listings for your store. Only you could.
What are these “Grant Application Access” pages?
Let’s say for example that I’ve created a piece of software to assist with creating listings, and checking recent orders to see if any of the listings that were created sold. We’ll say in this example that the name of this software was “ExListing Manager”
By default, “ExListing Manager” could use the eBay API to check information that is public.
Now you’ve learned about “ExListing Manager” and you’d like to try it. Once you’re registering for the software, it’ll direct you to a webpage that states:
“Grant Application Access: ExListing Manager”
If you agree to this request, it basically generates a token (let’s say like a password) that will allow “ExListing Manager” to access your private eBay data.
Prior to agreeing, if “ExListing Manager” attempted to create a listing on your store, it wouldn’t be allowed. But after you had agreed, it can send the request to create a listing to the eBay API, and it can now use the token, and eBay would allow the software to create the listing on your behalf.
“ExListing Manager” also is supposed to track if the listings it creates are sold. So it will also be using API to check your sold listings. It could check for notifications from the API with your token to confirm if an order is processing, and then typically once an order is paid, that would trigger the software to basically say “The item sold! Let’s increase the sold number by 1”.
How are we being lied to?
EBay had claimed that this new authorization for the eBay community was to restore the avatar images and feedback modules that had not been working for a couple months now. For those of us who have experience with the eBay API and know what the Application Access grants, we know this is a lie.
The store avatar images and feedback? Those are both pieces of PUBLIC information. You do not need any private access to retrieve these images. Just like how you could go to another sellers store page and see their images and feedback on the eBay website directly, software could do this with the eBay API without any special access.
To prove this, I’ve tested it myself. I browsed to the eBay homepage and one of the daily deals it’s giving me is for this listing: https://www.ebay.com/itm/202694169021
If I use the eBay API call “GetStore”, with this sellers name: “harmanaudio”, I do not have any “Application Access” for them. I will only be retrieving public information. The full information is quite long, but this is an excerpt from the results that I receive from the eBay API:
{
"$": {
"xmlns": "urn:ebay:apis:eBLBaseComponents"
},
"Timestamp": "2021-11-19T18:23:12.611Z",
"Ack": "Success",
"Version": "1177",
"Build": "E1177_CORE_API5_19110890_R1",
"Store": {
"Name": "Harman Audio",
"URLPath": "harmanaudio",
"URL": "http://www.ebay.com/str/harmanaudio",
"SubscriptionLevel": "CustomCode",
"Description": "Welcome to the official eBay store for the Harman family of brands: JBL, Harman Kardon, AKG, and Infinity. Shop premium wireless speakers, headphones, home speakers, car speakers, and more!",
"Logo": {
"URL": "http://i.ebayimg.com/00/s/MTE0WDIwMA==/z/FqcAAOSwdBRZg6by/$_1.JPG?set_11.JPG?set_id=807"
},
Sure enough, you could see in the “Logo” > “URL” section, there’s the avatar image. Again, I want to stress this is all public information freely available to the eBay API without any Application Access.
Then I could use the GetFeedback API call on the same store and here is another excerpt:
{
"$": {
"xmlns": "urn:ebay:apis:eBLBaseComponents"
},
"Timestamp": "2021-11-19T18:26:23.179Z",
"Ack": "Success",
"Version": "1201",
"Build": "E1201_CORE_APIFEEDBACK_19196963_R1",
"FeedbackScore": "197512",
As you could see, this information is all public, freely accessible information that does not require any form of Application Access.
And then for the URL links to others listings? You could literally do that with a URL and a simple store name:
https://www.ebay.com/sch/zamo-zuan/m.html?_nkw=&_armrs=1&_ipg=&_from=
Just change zamo-zuan to the username. You do NOT need the eBay API at all for this one!
The data already exists in the Community Forum servers
One more alarming thing is that we're being told this access is what's restoring the images. But if you take a look at existing posts in the dev console, you can see that the avatar images already exist on the Khoros/Lithium servers!
For the record, I retrieve that on another PC that was NOT logged in and NOT authorized! As you could see in the screenshot, the image already exists on the lithium server. No access to eBay is needed, and certainly not API access.
If the images already exist on the Lithium server, if we're not seeing them, then Khoros/Lithium itself is blocking us from seeing information on their own servers.
Yet we're being told that we need to approve access in order to see this information...?
So this brings me back to my original question…
Why is eBay lying to us about Application Access? What information is really being retrieved from our stores?
The only reason for Application Access would be to access any private information. What private information could the eBay Community possibly need?
Furthermore, they’re not even following their own terms, as they are supposed to be transparent about the reasons they’re requesting access in the Application Access request itself. It even states if you click for more information that “Additional capabilities as described to you in the application or by the application’s provider” - and the eBay community does NOT describe what additional capabilities are being accessed. And as mentioned, the reason we’re being given does not require this type of access.
To make things even worse, it says “Just go to my eBay if you change your mind”. I tried to go there to monitor our 3rd party authorizations, and the preferences page isn’t even loading to allow us to see what applications are accessing our accounts, or remove their access!
So what’s really going on here, eBay?
What private information is being accessed by the Community software?
Why is the request not even informing us of what is being accessed?
Why is the wool being pulled over community members' eyes?
Why are members being told reasons that could easily be debunked?
tyler@ebay wrote:Hi @valueaddedresource - chiming in on this to say that there is a current technical issue that is preventing third-party access from being visible in some browsers (I've added folks who say they're impacted to the open ticket).
As to the 'why' of this change - I'm not technical so I can't really speak to the in-depth analysis that @zamo-zuan has done. I can say that this was the fix that we could get implemented now as opposed to Q1, so it was what we went with.
I agree with @shipscript that moving the thread to the platform feedback board was the appropriate course of action given the topic, and also want to clarify that anyone can report a thread to the mod team if they feel it is on an incorrect board. Just because a thread has been moved does not mean that a member of the Community Team has read and reviewed it.
Thanks!
Doesn't seem to be browser specific, it's an issue with the way scripts are being used/imported.
We could grab the logs of the error as well to know exactly what it is:
Which brings me back to the point of this thread...
With that said, I appreciate at least receiving a reply. But since we have to approve access to use the community right now, don't we have the right to know what is being accessed through our API access?
Especially considering there's not even a way to revoke access. Nor can we be sure if whatever information is gathered would be erased or even follow eBay's API policy, since eBay's policies weren't even followed properly in the access request?
@valueaddedresource wrote:Thanks for the response tyler@ebay ! Just to be clear on the 3rd party access issue though
Coffee - can you confirm if you were using the same browser for both IDs?
tyler@ebay (provided for troubleshooting programmers)
I have up to four browsers on my new Apple desktop. Two browsers (safari & brave) run on Apple, and two (firefox & edge) run under a virtual Win 10 on Apple. This is a brand new system, so I had not yet used all four browsers for one user, until this test.
In all four browsers, and upon revisits, this Shipscript user has never been required to log in through the Grant screen. Even after clearing cache, cookies, history and going through sign-in on the new browsers. So the permission appears to reside within the account. In all cases, I logged into community first, signed in there as required, and I was automatically signed into the core site. My preferences are set as below, and since I have not been able to access 3P tokens for several months, I can only assume I have a token there.
One thing I have not yet tried is purposely logging out of eBay, which should touch my account. I'll do that after further testing with other accounts.
On a second account, using Private browsing mode, I logged in using the Grant screen. Subsequent visits through another browser did not require the Grant screen. Then I tried a new Private browser window in yet another browser, logging into the core site instead of logging into community. The login passed through Captcha and accessed my core account without passing through the Grant screen. But I was not automatically logged into community as indicated by my account settings below. So I manually signed into Community and did not pass through the Grant screen again. At this point, that first Grant was all I needed.
I have a few more eBay accounts I can test, one of which has been on the forums previously, but I'll wait to build a test suite.
I just used incognito mode in Firefox to log Shipscript into the core site. It did not automatically log me into the community. Conversely, logging into the community has always logged me into the core site.
When I clicked my avatar at the top of the community page in incognito, it then logged me into the community. I did not pass through the grant screen. Strange behavior, but we'll figure this out.
@valueaddedresource wrote:
tyler@ebay - it's been almost a week and still no response from sheila@ebay despite the thread being moved here supposedly because this would be the best place for her to see it and address these issues.
I understand we had a holiday last week, but it would be nice for there to at least be some acknowledgement or sense of urgency given the importance of the privacy concerns raised here.
Hi @valueaddedresource - I've made sure Sheila is aware of the request!
There are no conspiracy and or lying either. In order for me to bring back the avatars, missing FB score and listings, I had to trade in one big problem for another smaller problem. This other smaller problem, the grant application page, had a clear path on how to remove it but there was a lot of work that needed to get done, hence the reason it took over a week. The grant application page DOES NOT apply to Community. It's a legacy page that shouldn't apply to anyone.
I'm still waiting to hear confirmation back from the team that's deploying this solution, but it looks like the grant application page is no longer showing as of this morning.
Sheila reported yesterday (5 posts ago) :
"I'm still waiting to hear confirmation back from the team that's deploying this solution, but it looks like the grant application page is no longer showing as of this morning."
https://community.ebay.com/t5/Share-Community-Platform/Why-is-eBay-lying-to-us/m-p/32503010#M26223
Featured Posts
