mam98031 • Volunteer Community Member • Buyer/Seller since 1999
This is a response to eBay’s claims that the new “Application Access” authorization is to repair the avatars and feedback that have been missing from the eBay community, originally posted here: https://community.ebay.com/t5/Share-Community-Platform/Intermittent-issues-on-Community-platform-mis...
The information mentioned is freely available to anyone. You do not need any form of application authorization to retrieve this information.
As evidence to back up this claim, I will have to give an explanation of exactly what these “Grant Application Access” messages are, how the eBay API works, and what information is freely available.
What is the eBay API?
The eBay API is basically a system that will allow software to communicate with eBay and exchange information/data. Much of eBay’s website uses the API to retrieve the information that it displays on the “My eBay” and “Sellers Hub” pages.
What information is available through the API?
In basic terms, there’s basically two classes of information that are available on eBay. For this explanation I’ll be calling them Public and Private.
For example, when you’re browsing eBay and looking at other users' listings, the information you’re seeing is “public”. This means anyone can see the information. You could see the item they posted, the photos, the pricing, etc.
In another example, if you go to revise your own listings, you’ll see all the “public” information that was shown, but since you’re logged in to your own account, you also have access to seeing additional information such as rate tables, handling time, promotion values, etc. This is the “private” information. Typically, you could only see “Private” information on your own account.
Some functions of eBay are private as well. If you try to create a new listing, that is considered a “private” function. Nobody else could create new listings for your store. Only you could.
What are these “Grant Application Access” pages?
Let’s say for example that I’ve created a piece of software to assist with creating listings, and checking recent orders to see if any of the listings that were created sold. We’ll say in this example that the name of this software was “ExListing Manager”
By default, “ExListing Manager” could use the eBay API to check information that is public.
Now you’ve learned about “ExListing Manager” and you’d like to try it. Once you’re registering for the software, it’ll direct you to a webpage that states:
“Grant Application Access: ExListing Manager”
If you agree to this request, it basically generates a token (let’s say like a password) that will allow “ExListing Manager” to access your private eBay data.
Prior to agreeing, if “ExListing Manager” attempted to create a listing on your store, it wouldn’t be allowed. But after you had agreed, it can send the request to create a listing to the eBay API, and it can now use the token, and eBay would allow the software to create the listing on your behalf.
“ExListing Manager” also is supposed to track if the listings it creates are sold. So it will also be using API to check your sold listings. It could check for notifications from the API with your token to confirm if an order is processing, and then typically once an order is paid, that would trigger the software to basically say “The item sold! Let’s increase the sold number by 1”.
How are we being lied to?
EBay had claimed that this new authorization for the eBay community was to restore the avatar images and feedback modules that had not been working for a couple months now. For those of us who have experience with the eBay API and know what the Application Access grants, we know this is a lie.
The store avatar images and feedback? Those are both pieces of PUBLIC information. You do not need any private access to retrieve these images. Just like how you could go to another sellers store page and see their images and feedback on the eBay website directly, software could do this with the eBay API without any special access.
To prove this, I’ve tested it myself. I browsed to the eBay homepage and one of the daily deals it’s giving me is for this listing: https://www.ebay.com/itm/202694169021
If I use the eBay API call “GetStore”, with this sellers name: “harmanaudio”, I do not have any “Application Access” for them. I will only be retrieving public information. The full information is quite long, but this is an excerpt from the results that I receive from the eBay API:
{
"$": {
"xmlns": "urn:ebay:apis:eBLBaseComponents"
},
"Timestamp": "2021-11-19T18:23:12.611Z",
"Ack": "Success",
"Version": "1177",
"Build": "E1177_CORE_API5_19110890_R1",
"Store": {
"Name": "Harman Audio",
"URLPath": "harmanaudio",
"URL": "http://www.ebay.com/str/harmanaudio",
"SubscriptionLevel": "CustomCode",
"Description": "Welcome to the official eBay store for the Harman family of brands: JBL, Harman Kardon, AKG, and Infinity. Shop premium wireless speakers, headphones, home speakers, car speakers, and more!",
"Logo": {
"URL": "http://i.ebayimg.com/00/s/MTE0WDIwMA==/z/FqcAAOSwdBRZg6by/$_1.JPG?set_11.JPG?set_id=807"
},
Sure enough, you could see in the “Logo” > “URL” section, there’s the avatar image. Again, I want to stress this is all public information freely available to the eBay API without any Application Access.
Then I could use the GetFeedback API call on the same store and here is another excerpt:
{
"$": {
"xmlns": "urn:ebay:apis:eBLBaseComponents"
},
"Timestamp": "2021-11-19T18:26:23.179Z",
"Ack": "Success",
"Version": "1201",
"Build": "E1201_CORE_APIFEEDBACK_19196963_R1",
"FeedbackScore": "197512",
As you could see, this information is all public, freely accessible information that does not require any form of Application Access.
And then for the URL links to others listings? You could literally do that with a URL and a simple store name:
https://www.ebay.com/sch/zamo-zuan/m.html?_nkw=&_armrs=1&_ipg=&_from=
Just change zamo-zuan to the username. You do NOT need the eBay API at all for this one!
The data already exists in the Community Forum servers
One more alarming thing is that we're being told this access is what's restoring the images. But if you take a look at existing posts in the dev console, you can see that the avatar images already exist on the Khoros/Lithium servers!
For the record, I retrieve that on another PC that was NOT logged in and NOT authorized! As you could see in the screenshot, the image already exists on the lithium server. No access to eBay is needed, and certainly not API access.
If the images already exist on the Lithium server, if we're not seeing them, then Khoros/Lithium itself is blocking us from seeing information on their own servers.
Yet we're being told that we need to approve access in order to see this information...?
So this brings me back to my original question…
Why is eBay lying to us about Application Access? What information is really being retrieved from our stores?
The only reason for Application Access would be to access any private information. What private information could the eBay Community possibly need?
Furthermore, they’re not even following their own terms, as they are supposed to be transparent about the reasons they’re requesting access in the Application Access request itself. It even states if you click for more information that “Additional capabilities as described to you in the application or by the application’s provider” - and the eBay community does NOT describe what additional capabilities are being accessed. And as mentioned, the reason we’re being given does not require this type of access.
To make things even worse, it says “Just go to my eBay if you change your mind”. I tried to go there to monitor our 3rd party authorizations, and the preferences page isn’t even loading to allow us to see what applications are accessing our accounts, or remove their access!
So what’s really going on here, eBay?
What private information is being accessed by the Community software?
Why is the request not even informing us of what is being accessed?
Why is the wool being pulled over community members' eyes?
Why are members being told reasons that could easily be debunked?
@hurryagain wrote:
When that grant access page popped up the first time for me, all I could see and hear were red alarm bells everywhere. I am NOT a tekkie by a long shot...I probably know the least in the techincal dept. than anyone else who posted here.
I just have major trust issues and it actually became a positive thing to have in this situation.
There was NO WAY that I was going to grant any form of access to a third party in regards to anything concerning my eBay account...just crazy...who knows what I am granting access to...???
I thought that I was just going to be a watcher of questions and issues that arise on these boards and nothing more until about 2 weeks after the grant access notification first started. Suddenly I was signed in without any need to grant access to anything. I am sooo happy that I refused to partake in that
schemesituation and I sure do feel for all who have granted access.
If it were me who had granted access only to find out that I did not need to do such a thing a few weeks later, I would be royally bleeped!
So sorry to all who are rightfully concerned.
It was a temporary fix to get around a problem in the community. It has now been gone for awhile, I'm not sure why it is still of concern. I do understand and respect why their was concern, but it is now behind us.
Featured Posts
