
Well-known web sites that port-scan their visitors - XzetaU8
https://www.bleepingcomputer.com/news/security/list-of-well-known-web-sites-that-port-scan-their-visitors/
======
WhatIsDukkha
"""In our tests, uBlock is unable to block the port scans in the new Microsoft
Edge or Google Chrome as the extension does not have adequate permissions to
uncloak the DNS CNAME records."""

Seems highly relevant...

~~~
tedivm
I remember when Chrome started making these permission changes and claimed
that it wouldn't affect things like ublock, despite the ublock authors saying
otherwise. Google is going out of its way to use the power it has as the
dominant web browser to weaken ad blocking, and anyone who cares about a free
web should run screaming away from Chrome based browsers.

~~~
matheusmoreira
Google's new permissions model and APIs are actually great for weakening the
power and abuse potential of extensions. Honestly, the vast majority of them
aren't very trustworthy. I've seen extensions from banks that simply take over
the entire browser for "fraud prevention" or some other nonsense. The new
declarative APIs are great because extensions don't actually get access to
user data.

Blockers just happen to be so important and trusted that they shouldn't be
subjected to these reasonable limitations. Extensions like uBlock Origin and
Privacy Badger are so special and important that they should probably be fully
integrated into the browser itself instead of being optional.

~~~
hosteur
Exactly. Ublock and privacy badger is trying to make the browser a user agent
again.

~~~
matheusmoreira
Exactly. These extensions empower the user to such an extent they should just
become part of the browser instead. Browsers that lack these features could
hardly be classified as user agents. They're more like generic clients for
corporate websites.

Browsers are supposed to act on _our_ behalf by showing us the information we
want to see. They aren't supposed to show us advertising noise for someone
else's benefit, much less allow websites to track our every move. All such
attempts should be resisted.

~~~
bryan_w
Ublock should just release a browser and be done with it

------
gayprogrammer
I'm thinking that arbitrary domains should not have access to any resource on
'127.0.0.1', for the same reason that browsers restrict access to resources at
'file://' without user permission.

~~~
salawat
It isn't just websites. It's everything really. The industry has proven to me
time and again that it is not worth it to explain to user's what they are
doing and why they are doing it. Doing so seems like a complete waste of time
on the micro-scale, but on the macro-scale it builds confidence in the
integrity of practitioners and the business they're hired by by customers,
reaffirms positive social values/norms (asking for permission, politely
explaining when asked a question, and respecting other's prooerty), and it
increases the bar in terms of expectation, and helps educate users by shaping
their expectation of what kinds of things one should expect a computer to be
able to do.

There wouldn't be half the computational illiteracy there is if we'd take the
time to explain the basics.

------
gruez
I can understand banks using client fingerprinting for fraud detection, but
Chick-fil-A? Are they worried that people might steal $5 of restaurant
vouchers?

~~~
kirse
You'd be surprised, Chick-fil-a has a TON of fraud to deal with given their
food's popularity. They push the "convenience" of the mobile app (and it is in
some ways), but coupon fraud was also a big hidden reason driving that;
basically all paper vouchers or barcode-based coupons moved over to app-only.
Same for their Christmas calendars that used to be paper coupons + those
receipt-based "Free Sandwich" surveys, etc... all have been clamped down with
vastly increased security over the years.

~~~
salawat
There might be a bit more sympathy for their plight, and a self-correcting
problem if they'd explain why they were doing it.

Sometimes just by pointing out that it's an issue, people will start to adjust
their behavior to make it not an issue anymore. There'll always be some ne'er-
do-wells, but if we let that deconstruct our expectation of positive respect
for one another's time and stuff, well... You reap what you sow.

------
lenkite
I am still so confused on why this vulnerability exists. For AJAX, you have
CORS. Why was this even permitted for web-sockets ?

~~~
cygx
This vulnerability predates websockets (in fact, you can exploit it even
without Javascript) - they just make things more convenient.

Apparently, the shit hit the fan a while ago, prompting Opera to implement
'cross network protection'[1], but other browser vendors did not follow suit.

[1]
[https://web.archive.org/web/20121001002815/http://my.opera.c...](https://web.archive.org/web/20121001002815/http://my.opera.com/securitygroup/blog/2012/07/03/operas-
cross-network-protection)

------
henriquez
At what point does all this surveillance capitalism tech become “unauthorized
access?”

Port scanning with no user consent seems borderline malicious to me. Since the
late 1990s I’ve seen language in ISP acceptable use policies banning port
scanning hosts without consent. If this is widely considered malicious by
industry norms for decades then how can this be considered ethical for a
random website to do against a user’s machine?

~~~
matheusmoreira
The only difference is a terms of service nobody reads which "allows" them to
do what they want, no matter how abusive.

~~~
cgriswald
In some of the cases there’s no chance to agree with the TOS or leave before
you are scanned.

> For example, Citibank, Ameriprise, and TIAA-CREF immediately port scanned
> our computers when visiting the main page of the site.

~~~
matheusmoreira
Yes. Most if not all websites with typical "by continuing to use the site you
agree to..." terms will drop cookies and fingerprint the user on their first
visit, breaching their own contract. They do it even if lack of consent is
made explicit by including Do Not Track in the HTTP headers.

These terms are obviously an attempt to get away with questionable behavior.
Instead of simply not doing bad things, they insist and point people to the
legalese when they complain as if it excused everything.

~~~
MereInterest
Exactly. It's very easy to be compliant with privacy law if you aren't
stalking your users in the first place. The best example I've seen for doing
it right was from godbolt.org, whose GDPR notice is refreshingly direct.

> The Compiler Explorer team believes the Compiler Explorer site is compliant
> with the EU's General Data Protection Regulation (GDPR). Specifically, we
> store no personally identifying information, we anonymise the little data
> that we do have and we do not permanently store any user data.

------
salawat
I'm increasingly convinced LexisNexis is an example of a pervasive
monitoring/integration actor that has by this point scaled to the point their
mere existence should be considered an attack.

The level of data aggregation, and the lengths gone through to acquire that
data are just disturbing as all hell.

You can say, on the one hand that the fact they pop up everywhere is clearly a
sign they provide a positive benefit to society, but nowhere I've been
actually does anything to make you aware of what LexisNexis actually is, or
what they provide. They're basically the Ur-example of the "Shadowy info-
broker" tropeI've come across in real life.

The question that seems to be boiling to the top of life lately is whether or
not there is a place in the world for a legitimate business whose business is
to know as much as possible about everyone else's business.

The answer, from my perspective, is no, absolutely not. The market seems to
deem otherwise.

~~~
historyremade
They are also using Dating Sites and Student Loan websites to collect data.

------
rocky1138
I wonder if there's a browser extension that will port scan them back.

~~~
kstrauser
I’m surprised any web site is doing something this risky to themselves. Say
I’m an attacker. I visit their website, and they attempt to open a connection
to me. I accept the connection and send back a target payload to their
scanner, which is certainly less well tested than their public website’s
software. Even better, that seems exceptionally hard to prosecute: “wait,
didn’t you go out of your way to _ask_ the defendant to send you that data?”

~~~
insulanus
Good thinking, but if I understand correctly, the javascript running the scan
is running on your browser. So the scan is coming from the browser process,
and both sides of the connection have IP address 127.0.0.1.

That javascript can then report back, or take other actions in your web
session.

It's not a port scan in the sense of them opening a socket from their server
to your computer.

~~~
kstrauser
But that report back need not to look exactly like they might expect.

~~~
mr_toad
It’s not impossible. They could be doing something stupid like running eval on
a JSON payload, or generating SQL insert statements from the unsanitised data.
But I doubt it.

------
techntoke
My understanding is that you can use WebRTC and other methods of JavaScript to
port scan a computer. Heck, you can literally run BitTorrent on a website
using WebTorrent. You could force users to download and share copyrighted
movies or other illegal material in the background without their knowledge
when they visit your website. The state of the browsers is a disaster and
security nightmare. Wasm is only going to make it worse. Soon you'll
essentially be running binary blobs when you visit a website. What was
supposed to be a permissioned sandbox to protect users, turned into an
advertisers and malicious hackers' wet dream.

I think there needs to be more alternatives to JavaScript at this point.

~~~
jackewiehose
> Heck, you can literally run BitTorrent on a website using WebTorrent. You
> could force users to download and share copyrighted movies or other illegal
> material in the background without their knowledge when they visit your
> website

Yes, I wrote this a few times in threads like this but for some reason this is
mostly ignored. Having WebRTC enabled by default can get you in legal trouble
(at least in a country like Germany where lawyers send you letters based on IP
addresses).

~~~
superkuh
Leaving javascript executing by default is the modern version of opening every
email attachment.

~~~
techntoke
It is the default for browsers, even after you install privacy protection
extensions.

~~~
superkuh
Because the browser standards are defined by ad and spying companies who
require it and because in the past it wasn't what it is today: dangerous.

------
jimbob45
TL;DR: Use Firefox with uBlock Origin to block the highest number of scans.
Edge/Chrome/Brave let them through.

------
ringe
This link sent me straight to a malicious ad page pretending to be Telenor

------
homero
Wow so if I use RDP or TeamViewer then what? They decline my order?

------
kerng
Wondering if someone will take legal action. Port scanning still is legally a
grey area in many jurisdictions.

------
butz
Is uBlock blocking port scanning by default, or one has to enable something in
settings?

~~~
llacb47
It's blocking the domains that host the port-scanning scripts.

------
HugoDaniel
No info about Safari

------
inscartwheelies
I'm a bit confused by the ambiguity: is this a local JS browser client-side
scan or a remote server-side scan?

~~~
insulanus
Yeah, it's hard to describe accurately, because it runs in the browser
locally, but is delivered from whatever URL is being referenced on their site.

