When you create a shop on Etsy, you can upload an image to be used as a banner.
The upload form in the administration section stops you changing the shop to one you don’t control, as expected.
There is, however, an AJAX end-point which can also be used to upload these images. This doesn’t check you’re the owner on upload.
We can easily upload any image we want onto any shop we want. This could be used to damage a business’s reputation, or like what happened on the Silk Road, upload a banner which prompts any prospective customers to send any orders and payments to an email address we control.
Fix
Etsy fixed this in a simple way - they now check you’re the owner on upload.
