
Why Is This Website Port Scanning Me? - BCharlie
https://nullsweep.com/why-is-this-website-port-scanning-me/
======
segfaultbuserr
It's why Tor Browser restricts access to localhost by default. This problem
was already predicted and considered by Tor developers back in 2014, see
ticket #10419 - _Can requests to 127.0.0.1 be used to fingerprint the browser_
[0] and has been fixed since then. Scanning localhost is a dangerous way to
fingerprint the user if there are local open ports.

If you are not using Tor Browser and want to fix the security hole without
disabling WebSocket completely, running the web browser in a separate network
namespace is a workaround - you get a loopback interface which is independent
from the main namespace, and you create a NAT interface within the network
namespace to allow outgoing traffic. It's also a possibility for a website to
probe other machines, such as the setting page on your router. For better
protection, you should block all the local addresses defined by RFC1918 via
netfilter/iptables as well.

For developers who needs less restrictive blocking for debugging, you can run
multiple Firefox processes in different profiles ( _firefox -P --new-instance_
), each running in a different network namespace - to make it easy, you can
code everything in a shell script and create desktop icons for them. I
normally use an ad-blocked and 3rd-party-cookies-blocked profile for web
browsing, but a naked Firefox profile for development.

[0]
[https://trac.torproject.org/projects/tor/ticket/10419](https://trac.torproject.org/projects/tor/ticket/10419)

~~~
gsnedders
> It's why Tor Browser restricts access to localhost by default. This problem
> was already predicted and considered by Tor developers back in 2014, see
> ticket #10419

Sorry to invoke the meme, but Opera did it first[0], in Opera 9.50 (2008). I
don't have a good reference to hand, but [1] is a developer complaining about
this. [Edit: [2] covers the feature in some detail.]

Opera also blocked access to private IP addresses (so there were three tiers:
public IPs, private IPs, localhost; higher tiers could communicate with lower
ones, so the block was only unidirectional).

IE10+/EdgeHTML-based-Edge (and I know there was some talk about blocking this
in Chromium-based Edge) also blocks it, so that too is prior art to the Tor
change.

[0]: [https://w3cmemes.tumblr.com/post/62942106027/if-you-can-
thin...](https://w3cmemes.tumblr.com/post/62942106027/if-you-can-think-of-it-
its-999-likely-opera)

[1]: [https://stackoverflow.com/questions/1836215/access-
to-127-0-...](https://stackoverflow.com/questions/1836215/access-
to-127-0-0-1-by-default-in-opera-10)

[2]:
[https://web.archive.org/web/20140302021701/http://my.opera.c...](https://web.archive.org/web/20140302021701/http://my.opera.com/securitygroup/blog/2012/07/03/operas-
cross-network-protection)

~~~
gsnedders
To add more about why current browsers don't do this:

One is clearly that you need to communicate the requesting IP deep enough into
the network stack to the point where you get the DNS response (if there is
one), which means there's a fair bit of work to ensure this is done
everywhere;

Another is it's known to break corporate websites
([https://internal.bigcorp.com/](https://internal.bigcorp.com/) on a public IP
expecting to be able to access private IPs on their intranet), and smaller
browsers are reluctant to lose corporate users by changing long-standing
behaviour;

Then there's the WebRTC question: if two users on the same local network start
a WebRTC call, do we want all this traffic to go to via first point where the
public IP is known? For the majority of users the answer is no. And as long as
that's possible, there's a (very limited) means of local communication. (But
if it's limited to only things that respond to the WebRTC handshake, we're
already in a much better place!)

~~~
vbezhenar
In Kazakhstan we have e-government website. This website allows users to use
crypto-tokens to access government services (every citizen can get a digital
certificate representing his identity).

This website used to run Java applet. This applet was signed and it could
access restricted APIs to access USB device. So website talked to applet and
applet talked to USB device to sign data.

After major web browsers disabled Java applets, they implemented another
approach. Now user must install a software which runs a web server on
127.0.0.1. This webserver listens on a specific port and uses web socket to
communicate.

So government website now uses JavaScript to connect to 127.0.0.1:12345 using
websocket. And then it uses that connection to interact with USB device.

So an ability for external website to connect to 127.0.0.1 actually is
essential for this use-case.

My guess is that there are plenty of other websites which use local web server
to interact with locally installed software. I know at least one another such
a website: Blizzard website. It runs web server in its game launcher and
website can communicate with it.

PS also they have to install custom trusted certificate because browser
requires wss from https and there's no easy way to get a legitimate
certificate for that kind of use.

~~~
justinclift
> So government website now uses JavaScript to connect to 127.0.0.1:12345
> using websocket.

It sounds like random other websites (Ebay, etc) would be able to interact
with people's USB devices this way too. Maybe without people knowing?

~~~
_nalply
Yes, if this is programmed badly (missing security or a security hole).

The browser connecting to the government website accesses two servers: the
original one and the second local one you install yourself on your system. The
local server runs natively and therefore can access the USB device. Like all
servers it should be programmed such that misuse by hackers is prevented.

~~~
Shorel
That's already a security hole.

The only thing missing is a rogue website abusing it.

There's no guarantee you will never connect to any rogue website that abuses
this government mandated backdoor.

------
souterrain
The greater issue is that browsers are allowing code executing from the public
Internet _scope_ (scope meaning security domain) network access to the
localhost scope or the Intranet scope (RFC1918 addresses.)

If anything, this should require very explicit permission granting from the
user. I’d prefer it be something more like an undocumented toggle accessible
solely to developer types.

~~~
marcojrfurtado
There are legitimate reasons for port scanning, but I'm not sure most websites
out there are using it for noble purposes. I guess browsers could allow it
based on explicit permission from the user, just like it's already done for
microphone and camera.

~~~
zrobotics
I'm curious, what would be a good reason to do this? I'm not creative enough
to think of anything this enables a site to do that isn't malicious. If I'm
running a service on localhost, and that service needs to communicate with the
site I'm browsing, surely I could just direct that service to communicate with
the site itself.

For instance, if I'm running a local chat application and need it to
communicate with the web version, why does the website need to be able to port
scan to accomplish this? I can think of other ways to accomplish this that are
a lot more secure.

~~~
tlb
Ubiquiti routers have a fairly magical browser SPA that can run on their
domain and talk to local routers. It involves webrtc connections to local
addresses.

But I think if same-origin were enforced more strictly, they could have found
another way.

~~~
Macha
Huh, I never looked but always assumed this was proxying through the
controller.

~~~
tlb
It does this most of the time, either through the cloud or direct to the
controller. But during setup of the first device on a network it does
something direct from the browser to get it connected to the cloud.

------
jolmg
> Port Scanning is Malicious

Though port scanning can be (and maybe even frequently is) done with malicious
intent by looking for misconfigured/bugged servers, I disagree that it's
inherently malicious. Port scanning is just about checking to see what
services a host is offering you. It's like going to a random shop at a mall
and asking what services they provide. Would asking about their services be
malicious?

It feels like the reason asking about services is considered malicious is
because shops frequently give out info to the public that they shouldn't have.
It's like:

client: What services do you provide?

shop owner: Well, I can provide you with a list of all my clients along with
their personal information they entrusted to me.

So, is the client being malicious for asking or is the shop owner the one that
was in the wrong for mistakenly providing that info to the public?

I feel the only reason we don't blame the shop owner is because even though
he's the one that mistakenly discloses private info, sometimes he's just
following a script written by a random programmer unassociated with him. Maybe
the response was a mistake on the programmers part, maybe it was a mistake in
how the shop owner used the script (a configuration error). In the end, it's
simpler to blame the client for asking out-of-the-box questions (after all,
most clients just come in to ask if you're giving out flyers/pamphlets because
that's what everybody does) and so they don't feel responsible for the
response that results.

I can provide a shop that also offers things different than http(s) with open
access to the public. It shouldn't be a crime/violation to ask me if I offer
them.

~~~
jrockway
I think the dynamics of the Internet have shifted from the early days.
Basically, HTTPS on port 443 is pretty much the only service that anyone
intends to make publicly available. This is different from 30 years ago, when
those same sites had HTTP, FTP, Gopher, a public Telnet server, a public NTP
server, etc. and they wanted you to use them. It was very reasonable to look
around back then, but nowadays anything that is available publicly is probably
an accident.

~~~
jolmg
Exactly! And do we want to continue on that trend? Personally, I don't.

I dislike the growing idea that HTTP is a core part of the internet, and not
just the most popular part. The difference lies in if we're going to see
legislation that dictates proper use of the lower networking layers like
TCP/IP by stuff of the upper layers like HTTP. I'd really hate to see
something along the lines of "it's illegal to use a TCP port unless it was
specified as available to the public in some (possibly js-rendered) part of an
HTTP response."

~~~
jrockway
I don't think it's worth getting caught up on which data framing protocol
everyone is using. Everything that Gopher, IRC, FTP, etc. did are perfectly
expressible as any other RPC protocol; these things were just RPCs before we
invented the term RPC. Now we have protocols that can generically transport
any RPC, and so we don't need to think about these things in terms of port
numbers or running services.

------
badRNG
This raises the question: Is port scanning without consent a violation of the
CFAA? Either it is legal, and researchers should face no repercussions for
doing so, or it isn't and eBay is non-compliant with CFAA. I recall hearing
about someone either being arrested or convicted due to port scanning a
courthouse, but it was many years ago and I can't find the case with a cursory
Google search.

I have to wonder what value eBay would get from port scanning its customers.
Is it part of an attempt to detect bots/attackers? Is malware running on their
server trying to determine if the client is likely vulnerable to some
propagation method?

~~~
JoelMcCracken
Was it this?
[https://news.ycombinator.com/item?id=21023023](https://news.ycombinator.com/item?id=21023023)

~~~
badRNG
No, I think it was probably close to a decade ago, but I likely am
misremembering some of the details. Could've been a police department, but I'm
not sure.

That one you linked is a messed up case. There is a phenomenal podcast that
interviews those guys and walks through their engagement.
[https://darknetdiaries.com/episode/59/](https://darknetdiaries.com/episode/59/)

------
splonk
> Furthermore, when I installed and ran a VNC server, I didn't detect any
> difference in site behavior - so why is it looking for it?

Not an eBay employee, but used to work in fraud detection. Two very obvious
related guesses from my experience:

1\. Fingerprinting a user to help identify account takeover (ATO). Open port
signatures is probably a pretty good signal for that kind of thing (and it
doesn't seem to be measured in
[https://panopticlick.eff.org/](https://panopticlick.eff.org/)).

> However it is also a valid tool used by administrators for remote access to
> machines, or by some end user support software, so the presence of VNC is a
> poor indicator of malware.

2\. In a Bayesian sense, this probably isn't right. I don't know what eBay's
traffic looks like but I'm willing to bet that all other things being equal,
traffic coming from a machine with an open VNC port is riskier. Fraud
detection is a game of probabilities, so the existence of a valid user showing
a particular characteristic doesn't mean that the characteristic isn't useful
in a fraud model. The example I always give is that when I was doing this
(quite some time ago), we could have had a 99% accuracy rate for a simple rule
banning IPs from Turkey, Ghana, Nigeria, and Vietnam. It's not because there
weren't any valid users from those countries, it's just that the fraudsters
where overwhelmingly likely to be using IPs from those countries.

~~~
thejynxed
Those four are still considered untrustworthy, and I've had to add India,
Ukraine, and Brazil to the list of nations I filter entirely.

------
braxxox
Port scanning from a web page, combined with DNS rebinding, can present a
really nasty attack, and can effect an entire private network, not just
localhost.

Some more info here: [https://medium.com/@brannondorsey/attacking-private-
networks...](https://medium.com/@brannondorsey/attacking-private-networks-
from-the-internet-with-dns-rebinding-ea7098a2d325)

Example code: [https://github.com/brannondorsey/dns-rebind-
toolkit](https://github.com/brannondorsey/dns-rebind-toolkit)

A malicious DNS rebind server:
[https://github.com/brannondorsey/whonow](https://github.com/brannondorsey/whonow)

Disclaimer: I performed some of this research a few years ago. So those
resource suggestions are my own, but they feel very relevant here.

------
crazygringo
First of all, fraud detection seems like a legitimate use case here. And
WebSockets has many valid uses.

 _HOWEVER_ \-- how the hell is localhost port scanning allowed to happen
_without my permission_?!

This feels no different from a website trying to check the existence of named
directories on my file system or something.

Does WebSockets not require permission to function at all, or shouldn't it be
limited to some kind of CORS-type policy or _something_ to connect without a
permissions dialog? Or _even_ if it's allowed to port scan the entire public
internet, at least block your local machine and network without explicit
permission?

~~~
ryan-allen
If you find a way to prevent this in Chrome/Edge please let me know.

Edit: [https://defuse.ca/in-browser-port-scanning.htm](https://defuse.ca/in-
browser-port-scanning.htm)

There doesn't seem to be a way to access anything locally, just test for open
ports. I use SSH tunneling a lot and was having a minor freak out.

------
relaunched
This use doesn't seem to be covered by eBay's privacy policy
[https://www.ebay.com/help/policies/member-behaviour-
policies...](https://www.ebay.com/help/policies/member-behaviour-
policies/user-privacy-notice?id=4260)

------
parliament32
Lots of chat in the comments about how this is all websockets' fault, but
don't forget you can portscan localhost with pure JS as well.

[https://portswigger.net/research/exposing-intranets-with-
rel...](https://portswigger.net/research/exposing-intranets-with-reliable-
browser-based-port-scanning)

~~~
carapace
Ach! That's diabolical.

~~~
gsnedders
Timing attacks make it very hard to prevent port/host probing generally,
sadly, with the sheer number of things that are observably loaded cross-origin
(iframes in that example, but also images, scripts, stylesheets…).

(In the private/loopback IP ranges we should really just make those requests
always fail, but I addressed that in another comment as to why that's not
trivial.)

~~~
parliament32
Private and loopback space should really be outside the sandbox, or at least
in a permission. I'm happy with mycorp.net accessing 10/8 space, but not ebay.

------
bjt2n3904
Every time I hear about some shiny new feature being added to a browser, I
think...

1) Will I ever actually use this

2) How is this gonna screw me over

WebSockets, WebBluetooth, WebAssembly, Web-You-Can-Access-my-Accelerometer-
and-Battery, haven't ever wanted to use those. Ever. For anything. For any
reason. (Edit 3: Oh yeah, I forgot! WebRTC!)

Edit: Fantastic. You can't disable it in Firefox. So what, does Firefox need a
freaking iptables implementation now? [1]

1 -
[https://bugzilla.mozilla.org/show_bug.cgi?id=1091016](https://bugzilla.mozilla.org/show_bug.cgi?id=1091016)

"The only theoretical reason for the WebSocket pref these days is the
possibility to disable it easily in case there is a security issue found in
the protocol itself or so."

The protocol itself is the security issue. ALL OF IT.

Edit 2: So I don't have the time to investigate every new fad when it comes
out. I originally thought WebSockets were raw sockets, but they aren't.
Firefox blocks access to port 22 -- I was hoping all privileged ports, but it
seems just those. Opening a WebSocket to netcat dumps out a HTTP request, so
it seems unlikely that you'd be able to talk with anything that doesn't talk
HTTP and WebSockets. Firefox also seemingly blocks access to 192.168/24 and
10/8.

This makes me less angry. But what STILL make me angry is that I have to sit
and research about some stupid thing that I don't want and can't turn off.
Sooner or later, some web dev is gonna argue that all sites should be loaded
over WebSockets because his bloated javascript stack performs marginally
better, and then WebSockets _won 't_ be something I can turn off. Websites
will just whitepage.

Edit 4: Done researching this now. I went to ebay on Firefox, and wasn't
getting websocket scans. But I've got a stack of uBlock and NoScript... maybe
that's interfering with it some how? Opened up a stock config for google-
chrome -- that's my browser for "some dumb new web tech that isn't working in
Firefox" \-- not seeing any scans when I open up inspector and click "WS".

Regardless, his point still stands. You can totally use WebSockets as a port
scanner for localhost, assuming the Content Security Policy allows it. Now I
gotta go update my nginx configs...

~~~
djsumdog
Websockets are nice for some things. I hack on Mastodon and it uses WSS for
streams and they're very helpful.

But WebBluetooth, ASM, etc are all fairly insane. WebRTC feels like a massive
security issue (I've seen a demo of someone using WebRTC to find computers on
an internal network at a security conference years ago. Even if that hole is
fixed, it's still a hacky solution to video streaming behind NAT).

I agree; most of this stuff needs to have ways to disable it, in the base
configuration screen of the browser (not hidden somewhere in about:config).

~~~
klodolph
Why is ASM insane? Are you talking about WASM? That’s got the same security
model as JavaScript.

~~~
neurostimulant
WASM is great peace of tech but I can't help to think it would be abused a lot
in the future. For example, right now we can use ad blocker to block ads and
analytics by blocking its js from loading. Imagine when wasm gains mainstream
popularity and ad companies begin to ship their ads and analytics product as a
libaries to be linked at compile time. How do we block something like that?
Sure the adblocker can hide the relevant dom contents, but the code is still
run and doing whatever it want on your browser.

~~~
klodolph
These kind of complaints are based on a misunderstanding of how JS works or
how the browser works.

You can do the same exact thing in JS _right now._ In fact, if anything,
JavaScript makes this way easier than WASM. With JS, you can just use
something like Rollup or Webpack to put your analytics code in the same code.

~~~
neurostimulant
Yeah but using webpack is not how majority of websites deployed, so it's
probably not worth the effort for ads companies to support it. They will
consider this when webpack/wasm become mainstream enough (approaching 50%
web), which may or may not happen. Probably won't happened but the thought
always linger in my mind.

~~~
klodolph
WASM is way less popular than Webpack.

Almost every site with some kind of front-end framework like React will use a
bundler of some kind.

------
Jonnax
Browsers should be blocking this by default.

"This website is trying to access services on your local PC, do you want to
allow?"

Or at least as blockers should have a rule for it.

------
osolo
My kids complained today that Google Classroom isn't working. After a quick
investigation, I noticed that Snort on my firewall blocked the relevant Google
server due to incoming TCP port scans. Sigh.

~~~
r1ch
Be careful with automated rules - unless it's a full TCP handshake, you can't
conclusively identify the source of a port scan as the IP may be spoofed. If
someone port scanned you and spoofed eg the IPs of your DNS servers, you've
self-DoSed yourself.

------
xg15
To my knowledge, a lot of effort has been put into the design of CORS (and
related APIs) to specifically prevent misuse like that. A well-behaved
Websocket implementation should not give the calling script any indication
_why_ a connection failed.

I know timing oracles are difficult to avoid in many cases - but the technique
shown here seems to actually exploit different kinds of exceptions being
thrown by the browser.

This seems like a straight-up bug and pretty serious security vulnerability to
me.

~~~
MrStonedOne
cors/csp allow the webpage owner to control what servers the javascript
running on on their webpage can access and allow web servers to control what
3rd party websites make requests to them.

Notice the missing piece? Neither of those allow the _user_ to control these
things.

At the end of the day, it is reasonable to assume that localhost access is a
valid security barrier in the general networking sense. Making an exception
for certain types of networked applications is just adding a pitfall for some
dev to fall into. Good process design has to take into account the
inevitability of human error, and leverage things like "forget safe" rather
then "remember safe" (forgetting a step should fail safely, with an error or
incorrect but still safe behavior, then unsafely, with an exploit or an
explosion)

Using websockets or XHR to transverse internet firewalls is browsers
transversing security barriers as a feature, and needs to go the way of the
mic access, with a per-site prompt.

------
maayank
If anyone thinks of implementing this, don't forget to guard against
reflection attacks[1]

EDIT: revisiting my comment (and the wikipedia article linked), a reflection
or amplification attack in this context is sending traffic and generating
(perhaps much more) traffic from a different source than yours as part of an
attack. For example, you could spoof the IP address of the HTTP packets and
cause the server to port scan another machine -> little traffic (HTTP request)
causing a lot of traffic (port scanning). As part of a DDOS attack, a botnet
for example could use this to amplify their attack and masquerade the source.

[1] [https://en.wikipedia.org/wiki/Denial-of-
service_attack#Refle...](https://en.wikipedia.org/wiki/Denial-of-
service_attack#Reflected_/_spoofed_attack)

------
fareesh
Why is localhost / 127.0.0.1 allowed from a remote JS file without any
permissions?

------
jamesfisher
Potentially you can do more than just port scan; it's possible to use/access
the servers that you have running on your local machine if they're left open.
See my post about this: [https://jameshfisher.com/2019/05/26/i-can-see-your-
local-web...](https://jameshfisher.com/2019/05/26/i-can-see-your-local-web-
servers/)

------
discreditable
From the title I assumed this was going to be something else. I remember some
sites used to port scan you on registration. This was to check if
registrations were from an open proxy, which was a very strong bot indicator.
I might be misremembering but I think Slashdot used to do it. There were also
some plugins for phpBB forums that did it too. I used one back in the day and
it helped quite a bit with spam registrations.

~~~
machello13
How did port scanning work back then before WebSockets?

~~~
r1ch
These were external scans - see if the visitor's IP is running an open SOCKS
or HTTP proxy for example. Many IRC networks still port scan you on connect
for the same reason.

------
xur17
Is there a way to block this at the browser level? Ex: block access to
localhost for all domains (except from localhost itself)?

~~~
gruez
Ublock allows you to block websocket requests. eg.

    
    
        *$websocket
    

will block all websocket connections. You probably want to operate on a
whitelist on a site by site basis. Blocking localhost or 127.0.0.1 isn't
reliable because sites can use dns rebinding attacks to bypass your filters.

~~~
jhhh
Ublock origin says it supports ABP filter rules which allow for whitelisting
sites which seems like it should allow something approximating:

    
    
      ~site.com$websocket
      *,~site.com$websocket
    

However this seems like it's invalid syntax because switching your example to
this opens all websocket use back up tested via
[https://websocketstest.com/](https://websocketstest.com/)

~~~
gorhill
That is not valid ABP filter syntax. This is what you want:

    
    
        *$websocket,domain=~site1.com
    

For more than a single site:

    
    
        *$websocket,domain=~site1.com|site2.com|...
    

I would personally suggest people to just enable advanced user mode and create
rules such as:

    
    
        * 127.0.0.1 * blocked
    

To block all request attempts to 127.0.0.1.

~~~
jhhh
Thanks for the information and all that you do. I had found the linked section
from UBO to [https://help.eyeo.com/en/adblockplus/how-to-write-
filters#el...](https://help.eyeo.com/en/adblockplus/how-to-write-
filters#elemhide_domains) and assumed that *$websocket was
<all_domains><separator><rule> similar to how other filters seem to work but I
haven't delved too deeply in the rule syntax. Appreciate the correction.

------
gfxgirl
This is bad and should be blocked IMO, at least by default, but can a site do
anything other than find out which ports respond to a websocket request? AFAIK
they can't send arbitrary network packets. The websocket will only open if the
port they are trying to talk to speaks websocket back. This is mentioned in
the article.

I'm not saying that's okay. I still don't want them scanning ports on my
machine. There might be some services that offer a websocket connection like
Plex for example, or the Kinect driver, or Leap Motion. I also don't want them
cataloguing ports that are open.

------
sitkack
I can't believe of the 363 comments no one has mentioned Samy K and his
awesome Poisontap project. Parts of which did this local scanning and
connecting to your internal router management page.

[https://github.com/samyk/poisontap](https://github.com/samyk/poisontap)

See also,
[https://www.theregister.co.uk/2010/01/05/geo_location_steali...](https://www.theregister.co.uk/2010/01/05/geo_location_stealing_hack/)

------
annoyingnoob
If the bank is checking on my security then its reasonable for me to check the
security of the bank, right?

~~~
kchr
Check the bank EULA. You might have agreed to the scans without knowing.

------
laurentdc
> Furthermore, when I installed and ran a VNC server, I didn't detect any
> difference in site behavior - so why is it looking for it?

I think behind the scenes they keep log of some sort of fraud risk, e.g. geoip
different from billing country, suddenly a new operating system,
vnc/teamviewer running would probably flag your account (even for benign
purposes, e.g. you can get your money back or purchase cancelled if that info
can prove your transaction was actually unauthorized).

I worked on a ecommerce where the previous developers implemented a
rudimentary "score" system like that so that suspicious orders would be put in
queue for phone verification (this was pre gdpr)

~~~
BCharlie
That makes a lot of sense. I assumed it was somehow for anti-fraud, though I
still don't like it.

------
jcoffland
Port scanning localhost from a webpage has been possible for a long time and
does not require websockets.

[http://jsscan.sourceforge.net/](http://jsscan.sourceforge.net/)

------
_bxg1
I don't follow what this has to do with websockets specifically; they just go
over HTTP, so why couldn't you do this with a regular HTTP request?

Either way it seems easy to mitigate at the browser level: block all requests
to localhost that don't originate from a page served on localhost. It's not
that different from the CORS policy.

------
gfxgirl
Yes, a drive by web page shouldn't be able to do this but similarly a native
app shouldn't be able to do this and yet I suspect some not insignificant
percent of native apps, especially on mobile on both OSes are doing this
either directly, the app dev is doing it deliberately, or via one of the many
3rd party libraries they included but aren't aware of the behavior.

I really want the OS to prevent this by default and require permission from
the user. I want apps (probably only possible on iOS/Android) to have to list
the sites they'll connect to, that list will have to be reasonably small 10-30
sites with special exceptions for browsers

This would have 2 positive affects. #1 it would prevent the apps from scanning
the network. #2 it would effectively force apps to launch the user's browser
for external links instead of an embedded browser in which they can spy on all
activity.

------
Giorgi
I don't think motivation is malware detection, I am assuming this is sort of
fraud detection (like carding)

------
akerro
Interesting, port scanning is illegal in some countries as it's classified as
security testing, it can be only performed with permission.

How would you feel is someone was walking on busy car parking and checking if
doors of the cars are open? It' what port scanning is, checking if the car has
open door.

~~~
clarry
> How would you feel is someone was walking on busy car parking and checking
> if doors of the cars are open? It' what port scanning is, checking if the
> car has open door.

More like sending a "hi, can I enter?" signal to a self-driving taxi that has
been left waiting in a public arena.

Don't put a server online with a public IP if you don't want to receive those
signals. Don't send "hi yes you can enter!" responses when you get the query,
if you don't want to let people in.

~~~
jgwil2
Except in the case described by the article, the port scanning is being done
not on servers on the public internet but on clients of certain websites.

------
anderspitman
Curious what HN thinks about this hypothetical: Imagine you have a web app
designed to talk to a specific backend server API. It's also common for users
to run instances of the server on their local machine. How would you feel
about the app checking a (single) well-known port to see if there's a local
server running, and prompting the user: "we detected you're running a local
copy of the server, do you want to connect to it?"

This doesn't seem to be done very often, and the public cases usually seem to
be pretty ugly (Zoom). But I could see it being useful. Imagine for example an
app for browsing S3 directories, that could also detect if you're running a
minio server and allow you to connect to it, and transfer data back and forth
between your different backends.

~~~
CobrastanJorji
I don't think the case that you're describing is unethical, but I also don't
see it as beneficial enough to outweigh the security risks of it being
possible.

------
ilikenwf
This slideshow by an NSA dude seems to go into this, from 2016.

[https://datatracker.ietf.org/meeting/96/materials/slides-96-...](https://datatracker.ietf.org/meeting/96/materials/slides-96-saag-1/)

------
csagan5
There is an open Chromium bug for this:
[https://bugs.chromium.org/p/chromium/issues/detail?id=378566](https://bugs.chromium.org/p/chromium/issues/detail?id=378566)

I hope they consider it still valid and not close it.

These are the blocked ports:
[https://github.com/chromium/chromium/blob/83.0.4103.53/net/b...](https://github.com/chromium/chromium/blob/83.0.4103.53/net/base/port_util.cc#L22)

Accessing localhost and LAN addresses works perfectly fine, except for those
ports.

I am going to patch Bromite so that it doesn't allow any access to localhost
nor private networks.

~~~
csagan5
Interestingly enough they are already blocking these attacks for background
requests, see
[https://github.com/chromium/chromium/blob/83.0.4103.53/third...](https://github.com/chromium/chromium/blob/83.0.4103.53/third_party/blink/renderer/modules/background_fetch/background_fetch_manager.cc#L251)

Perhaps they simply forgot to cover also the WebSockets case, or the
discussion on the related bug was not allowing for expanding the coverage.

------
XaspR8d
This does suggest to me that browser websocket requests against localhost
should at least:

1) return the same error message for all failures (unless some opt-in / launch
flag is set)

2) fiddle with the timing slightly to make timing attacks less useful? (how
long is a localhost TLS connection? 100ms? I think devs can wait a handful of
frames for their failure response.)

I have no idea how many legitimate apps are leveraging some kind of localhost
connection -- it sounds like an unusual use case but I can certainly imagine
some enterprise app that ties into desktop services or programs by that route.

EDIT: Of course banning them outright or requiring specific user whitelisting
of domains would work as well. Just trying to get away with the smallest
change.

------
rurban
Many questionable Russian sites do full port scans not only on localhost but
on all the private subnets. I had to block all access to ports above 1024 for
all local subnets. Usually people don't have firewall rules for that.

------
franga2000
Allowing ws connections to local addresses can be pretty useful in many cases
(admittedly, many of these could be better solved with WebExtensions' native
messaging) so disallowing it would not fly.

But since this is pretty rare, a message saying: "this website is trying to
connect to services running on your computer - allow/deny?" would be pretty
easy to implement and solve this for good. Sites that need this already
require you to jump through hoops, so one more popup would be fine, but sites
that do this for other reasons would probably not want to risk a popup.

------
thanksforfish
See also: BeEF[1]

Theres lots of scanning/attacks you can do using the web browser as your
scanning tool. Its troubling that major sites are starting to use some of
these techniques, but these techniques have been readily available to
attackers with open source tooling.

I think it's long overdue for browser to find a way to mitigate these sorts of
attack vectors. If the security folks can't justify it due to BeEF, maybe the
privacy folks can using articles like this.

[1] [https://beefproject.com/](https://beefproject.com/)

------
TekMol
When you do this:

    
    
        new WebSocket("ws://127.0.0.1:8080")
    

An application listening on 8080 is indeed getting a packet delivered.

Run this to see the packet:

    
    
        nc -lp 8080
    

And the page can figure that out via the error returned.

I wonder if that is in line with the same origin policy.

On the other hand, maybe the same is possible by creating an image with
src="[http://127.0.0.1/hello.jpg"](http://127.0.0.1/hello.jpg") and looking at
the onload/onerror event?

~~~
cygx
But note that a simple

    
    
        <img src="http://127.0.0.1:8080">
    

should do so as well, ie this is just the newest iteration of an old problem
that the major browser vendors never chose to properly address - with the
exception of Opera, see eg this stackoverflow question [1] and corresponding
answer from 2011.

[1]
[https://stackoverflow.com/questions/5464599](https://stackoverflow.com/questions/5464599)

~~~
TekMol
The page could never read the contents of the image, right?

If the user has a web-socket-server running (for example because he is a
developer) could the page read from it?

Can a page read from _any_ web socket server on the internet?

~~~
cygx
_If the user has a web-socket-server running (for example because he is a
developer) could the page read from it?_

Only if that server chooses to accept the request, which it can decide based
on the Origin header.

Personally, I was more concerned with getting spurious requests on ports bound
to 127.0.0.1 (which I've been using for IPC), but that issue already existed
before the introduction of WebSockets.

WebSockets of course do make things like port scanning easier, but as others
have pointed out, you could already do that with a bit of ingenuity eg through
tracking response times.

------
blakesterz
hmmm, so the conclusion is:

"Whether the port scan is used as part of an infection or part of e-commerce
or bank "security checks", it is clearly malicious behavior and may fall on
the wrong side of the law."

Though I really don't know what ebay or banks or any site might be doing, it
seems like it's almost certainly a defensive thing looking for signs of
trouble. I don't know if I'd call it malicious. Isn't this totally harmless in
this case? That is, eBay portscans me, how is this malicious?

~~~
the8472
You don't know whether they're collecting the data and running analysis on it.
What services you're running may already reveal something about you.

------
foobarplopp27
This guy Just has it wrong when he calls port scanning an adversarial
technique. It's Just a way to discover Services. You can then use the result
to do malicious things but it's not like the only or even main purpose. I
humbly refer to this: [https://koeln.ccc.de/ablage/portscan-
policy.xml](https://koeln.ccc.de/ablage/portscan-policy.xml) (Google translate
can help with the german)

------
owaislone
This is scary. I've always left locally running services unprotected for
convenience given they can't be accessed from outside. I can imagine a lot of
people running local apps, servers or databases without any auth that could
contain sensitive information. Would a webpage be able scrape data from such
services? Any way to disable this completely in Firefox and Chrome?

~~~
dvdkhlng
No, webpage javascript is limited to using websocket protocol [1] for
connections. That means your database or IP camera, or VoIP phone or router
are safe for now. Though the websocket connection establishment seems to allow
the javascript to differntiate between a closed and an open TCP socket and a
TCP socket that speaks websocket.

[1]
[https://en.wikipedia.org/wiki/WebSocket](https://en.wikipedia.org/wiki/WebSocket)

~~~
owaislone
So if a local service allows WS connections, can data be scrapped off such a
service?

~~~
dvdkhlng
Yes, the primary (or only) reason to even implement a WS server connection is
exactly to allow data to be scrapped off using a web-browser.

E.g. Asterisk nowadays allows enabling SIP protocol access over websocket so
that you can run a javascript VoIP client from inside a browser [1] (and
WebRTC for the media layer).

[1]
[https://wiki.asterisk.org/wiki/display/AST/Asterisk+Builtin+...](https://wiki.asterisk.org/wiki/display/AST/Asterisk+Builtin+mini-
HTTP+Server)

~~~
owaislone
Sure but such servers would always implement authentication when deployed to
the web but a lot of such services could run locally unauthenticated to serve
local apps. For example services to power electron apps. This tells me data
from such services can be stolen very easily.

~~~
dvdkhlng
Electron apps have much more access permissions than a normal website. I don't
know technical details of how electron apps interact with the bundled chrome,
however this post [1] suggests that electron apps can just talk low-level TCP
protocol, no need to wrap everything in an additional websocket protocol
layer.

[1] [https://stackoverflow.com/questions/41674063/is-it-
possible-...](https://stackoverflow.com/questions/41674063/is-it-possible-to-
create-a-tcp-client-with-electron)

------
swalsh
I can think of a legitimate use case for this. If you watch some of these
scammer youtube videos, one common thing they seem to do is get on a
screensharing application, and have the user log into their bank account. From
there, the scammer inspects the html, and manipulates the values to trick the
victim.

A bank knowing if someone else is watching your screen is a decent security
measure.

------
brainzap
This is why the websocket implementation does not have meaningful error codes,
so people can not abuse it. But they still do.

------
thisisnot
in firefox it seems you can disable websocket with network.websocket.max-
connections = 0

Firefox and the illusion of privacy

(1)[https://www.remembertheusers.com/2018/03/0455-firefox-and-
th...](https://www.remembertheusers.com/2018/03/0455-firefox-and-the-illusion-
of-privacy.html)

------
homami
How does it work in practice? It seems in Chrome these errors cannot be caught
try-catch blocks.

    
    
        try {
          var socket = new WebSocket('ws://localhost:808');
        }
        catch (ex) {
          console.log(ex) // control does not reach here
        }

~~~
mdouglass
It probably fires as an async error, I'd expect this would log it (if inserted
at the end of the try block):

    
    
        socket.onerror = (...args) => console.log('async error', ...args)

~~~
homami
socket.onerror event happens for both cases. But there does not seem to be any
difference between the error object that is passed to the these handlers.

------
paddlesteamer
Actually , I'm pleased ebay is doing this. It wasn't a new issue but now ebay
doing it, it took a lot of attention. It's like disclosing a security issue in
WebSocket protocol. Now I'm sure next releases of the most browsers will fix
it.

------
bosswipe
Javascript was a mistake, seriously. The benefit-cost ratio from the user's
point of view is disastrous. I'd rather slog through less fancy data entry
forms than suffer endless tracking, privacy and security attacks.

------
mirimir
Please ELI5 why it doesn't happen for www.ebay.com using Firefox in Debian. I
see no websocket connections to localhost in Network Monitor or iftop.

------
drbenway
I've noticed many of the survey for cash sites use websockets to scan for
running services on your machine Personally I think its straight up evil

~~~
folmar
Those are natural abuse (automation) targets so always used a lot of tracking.

------
problem_halting
I see the port scanning behavior in Firefox and Chrome but not in Brave, even
with Brave shields down. Anyone else use Brave?

------
barbarbar
So if disable javascript - it will not be possible?

------
null4bl3
Now scanning for open ports I can do on Linux.

But how would I go about monitoring which ports are being scanned on Linux?

No tool doing this comes to mind

------
jquast
See also, [http://localrouter.net/](http://localrouter.net/)

------
snikch
Did they check the source of the request? My guess would have been an
extension doing this instead of the site.

------
pknerd
I just tried myself and could not find any such thing. MAy be a bug or removed
after seeing it featured on HN?

------
skizm
Is there a setting or something in either chrome or FF to block websites from
being able to port scan you?

~~~
upofadown
Supposedly you can disable websockets in Firefox by setting
network.websocket.max-connections in about:config to 0.

------
3fe9a03ccd14ca5
How do I prevent this? Is there something I can do to block localhost (RFC
1918) port scanning?

------
m3047
Apropos past issues with Zoom installing a local server, this is important to
consider.

------
dreamcompiler
Damn. Yet another example of "This is why we can't have nice things."

------
JaceLightning
Poorly written article: mixes facts and opinions

> it seems many sites are port scanning visitors for dubious reasons.

Claims that in the intro, but then admits ebay is scanning for VPNs, which
probably means it's doing fraud detection, which is definitely not a dubious
reason, and is probably actually beneficial to the customer.

------
lucaserb
I downloaded Brave for the first time today after reading this.

------
tonymet
anyone know the config or flag in Chrome to disable any requests to localhost?
Ideally excluding origin=localhost, but if not possible i can dev on a
different account

------
azinman2
Any suggestions of ways to block this? Any Safari extensions?

------
dawnerd
eBay must have some logic to determine who to scan. I can't get it to trigger
on my windows desktop or mac.

------
lucaserb
Downloading Brave Browser right now...

------
zlynx
If you want analogies, this is like walking into a bank to do business and the
security guard checking to see if you're wearing a mask.

~~~
tryauuum
People are good at inventing analogies that support their point of view.

------
awinter-py
TLDR because you have javascript enabled

------
kgersen
port scanning is fine and should not be illegal. It's just "looking" at a
house to see if there is a door and what type of key (protocol) it uses.

Trying to open a connection on the other hand it's like trying to open the
door. That should be considered as a violation.

~~~
jerf
Don't try to understand this with metaphors. It's a trap. Port scanning isn't
enough like anything in the real world for the analogies to apply.

I'd strengthen pfundstein's claim; port scanning intrinsically works by trying
to open connections. That isn't enough "like" any particular physical thing to
make it a correct analogy; it isn't knocking, or walking in, or opening, or
anything else. But one thing we can say, without using analogies, is that it
is definitely an _active_ effort, an action deliberately taken, not something
passive like "looking" is in the real world. That is not on its own proof that
it is wrong... I am merely saying, it is certainly _active_ , not passive.

~~~
pbhjpbhj
I think your final objection fails by bad analogy too: one has to _actively_
direct ones gaze, in general, if one is to notice a type of lock or other
security arrangements.

~~~
jerf
I'm not analogizing to "actively looking"; I am saying, it is an active
action. You can tell it's active because if they don't make deliberate
decisions to write code that performs this scan, no scan will happen. They
have had meetings about this functionality, and implemented it, and tested it,
and management has signed off on it, and in a place like eBay quite likely
their legal department has signed off on it. It is an action they have taken,
with deliberation and intention; it is not a thing that just suddenly started
happening to them one day, like, Firefox shipping a new browser that has a new
default font or something.

I'm referring to the literal, probably-hundreds-of-person-hours actions taken
to create this functionality. This is relevant to both ethical and legal
analyses. No analogy.

------
superkuh
Port scanning isn't malicious behavior. Port scanning is about equivalent to
walking down the street and looking at the architecture of the buildings.

~~~
pdonis
Your analogy might apply to a port scanner running over the Internet and
looking at what ports are open on Internet-facing servers. (Though I would
still argue the analogy is flawed there: port scanning Internet-facing servers
is more like going up to each locked door on the street and writing down what
kind of lock it has, in case you want to try to pick it later.)

But a port scanner running inside the browser on my local machine is
equivalent to someone sneaking into my house and going through each room
seeing what valuables are there.

~~~
superkuh
I agree. It's foolish to give websites permission to do that kind of thing.
There's a very simple solution: don't give them permission. Turn off
javascript. Yes, ebay will complain but it'll still work. The power is in your
hands. No one is forcing you to use eBay either.

Giving arbitrary websites the ability to run arbitrary code on your machine is
just asking for trouble. It's like someone who opens and executes every email
attachment they receive. Try out NoScript temp-whitelist only mode that blocks
by default and requires manual permission giving.

