
eBay is port scanning visitors to their website - joering2
https://blog.nem.ec/2020/05/24/ebay-port-scanning/
======
Maxious
This might explain why some preinstalled HP laptop software (with open ports?)
causes a BSOD when users visit ebay [https://h30434.www3.hp.com/t5/Notebook-
Operating-System-and-...](https://h30434.www3.hp.com/t5/Notebook-Operating-
System-and-Recovery/Blu-screen-error-after-login-to-ebay-costumer-
page/td-p/6692602)

~~~
ezoe
A preinstalled local server, presumably running in kernel space for it cause
BSOD, crash when connected from localhost and attempted TLS handshake? The
preinstalled crapware never changes.

~~~
sq_
I feel like the only good option at this point when purchasing a prebuilt
desktop or a laptop is to nuke the drive and do a clean install of Windows.
Seems like the only way to ensure that you've killed the crapware and any
partitions meant to preserve/reinstall it.

~~~
vetrom
Sometimes that isn't even enough. Windows for example ships with a feature
called the "Windows Platform Binary Table" that will load and run DLLs
embedded in a machine's ACPI tables.

~~~
mycall
Is there software that will enumerate ACPI for DLLs?

~~~
mkup
You can look for ACPI table(s) called "WPBT" using RWEverything (if you are a
Windows user):
[http://rweverything.com/downloads/RwPortableX64V1.7.zip](http://rweverything.com/downloads/RwPortableX64V1.7.zip)

or look into the following filesystem path in Linux: /sys/firmware/acpi/tables

------
mehrdadn
I asked this earlier and nobody had a response, so thought I'd ask it again:
is there an extension to block this?

Edit: @Windows users: pip install pydivert and then try to write a script to
block connections from Chrome to non-Chrome processes. you might need
GetTcpTable2() or something. (Looking into this now. Check out
[http://stackoverflow.com/a/25431340](http://stackoverflow.com/a/25431340))

~~~
sva_
As far as I know these port scans are done using WebRTC. Using a browser
extension[0] it is easy to deactivate it on the go. Personally, I always have
WebRTC disabled by default (as it has several nasty security implications),
and only activate it if I explicitly need it for something.

[0] [https://addons.mozilla.org/en-US/firefox/addon/happy-
bonobo-...](https://addons.mozilla.org/en-US/firefox/addon/happy-bonobo-
disable-webrtc/)

~~~
moooo99
irrc, eBay uses websocket connections [0] to scan the ports. Firefox doesn't
offer an option to disable websockets in the _about:config_ page. However, I
have read about workarounds by setting

    
    
      network.websocket.max-connections=0
    

This is a global setting and is applied to all websites. I also wasn't able to
test this myself yet. Are there any good extensions for blocking websockets on
for specific domains?

[0] [https://nullsweep.com/why-is-this-website-port-scanning-
me/](https://nullsweep.com/why-is-this-website-port-scanning-me/)

~~~
hazz99
To people reading this, many websites rely on websockets for real-time
information. They would likely fallback to per-refresh HTTP requests, but it
also may break a bunch of sites.

~~~
narrowtux
As a developer on a product that uses websocket extensively, I'm afraid that
this will lead to the already huge distrust in the technology.

If IT admins get wind of this they'll just block it (or never unblock it since
it's been blocked by some from day 1) and our product gets degraded
experience.

~~~
dicknuckle
like dropping ICMP replies on firewalls. idiotic because it gives a very false
sense of security. it's been a useless "security" practice since the 90s.

~~~
1over137
But don't firewalls drop everything inbound by default? So it's more that
people don't know they should create rules to allow ICMP, no?

~~~
concerned_user
Connection comes from your browser i.e. localhost to yourself, firewall is not
setup to block such connections in most cases.

------
mobilio
It's crystal clear why they do this.

Many companies or persons share their desktops for remote usage. Later they
sell this service to eBay users. And they're using it for different fraudulent
activities - from making real sales (just for stars) to bidding to own items
(for rising price).

For years eBay fight this.

~~~
kevsim
It seems like eBay wants it both ways. They want to have a huge user base with
low friction to get started, but they also don't want fraudulent players.
Instead of doing KYC (know your customer) like many financial services,
they're stuck doing dirty tricks like this to try and combat fraud.

~~~
varjag
Cheating is rampant in all financial services that mediate transactions
between end customers. No shortage of stories about card fraud or PayPal woes.

~~~
syshum
That is largely down to the liablity being on the end points of the
transaction not on the transport layer...

Either the consumer or the merchant bears the cost for fraud, rarely does
paypal or the banks if they did the problem of identity fraud would be solved,
and would not be called "identity theft"

------
gkoberger
A similar article was on HN a few days ago:

[https://www.bleepingcomputer.com/news/security/list-of-
well-...](https://www.bleepingcomputer.com/news/security/list-of-well-known-
web-sites-that-port-scan-their-visitors/)

Here's the discussion about it:

[https://news.ycombinator.com/item?id=23361823](https://news.ycombinator.com/item?id=23361823)

------
cube00
Previous discussion:
[https://news.ycombinator.com/item?id=23246170](https://news.ycombinator.com/item?id=23246170)

~~~
robert_tweed
In case anyone thinks this is a dupe, it's not. This post is inspired by the
first article. It gives a much more detailed analysis of the code and what
data is sent where.

------
nerdbaggy
The company that is actually providing this service is by Lexis Nexis
[https://risk.lexisnexis.com/corporations-and-non-
profits/fra...](https://risk.lexisnexis.com/corporations-and-non-
profits/fraud-and-identity-management)

------
dpenguin
eBay has a big fraud headache. They have a bunch of algorithms (from the pre-
ML-hype days) that take a variety of inputs to determine whether a given
transaction is fraudulent or not. Presence of remote login service on the
user’s computer may tip the scale heavily in this calculation. Fraud detection
is a necessary evil for all financial transaction companies in order to keep
costs low for everyone else.

If you’re worried about privacy, use CCPA’s right to information and ask them
for a dump of everything they have on you. They are supposed to give you info
that other SPs like Threatmetrix have on you as well if they really are
transmitting it to 3rd parties.

~~~
matheusmoreira
> Fraud detection is a necessary evil for all financial transaction companies
> in order to keep costs low for everyone else.

That doesn't mean they should be allowed to behave like cybercriminals. The
risk of fraud doesn't give them a free pass to abuse our trust and invade our
privacy. They aren't entitled to know what software people run on their own
computers. Especially if they learn this information through underhanded means
like port scanning people's local networks without their permission or
knowledge. It doesn't matter how much money they're losing because of fraud,
they don't get to violate these boundaries in order to reduce the risk
associated with their own business.

~~~
dpenguin
Is “behaving like cyber criminals” bad though? Just because it’s doing
something out of the ordinary in terms of tech doesn’t mean it’s bad. Fighting
cybercrime is always a cat and mouse game akin to counter terrorism, counter
espionage or even plain cops and robbers. You need to think like your enemy,
have informers, etc etc, while not harming the good citizens. That’s what is
going on here.

Are there cops who misuse their power? Absolutely. Are there spies who use
information for personal gains? Sure. There need to be checks and balances
that make it bad for such people to go rogue.

Privacy acts aim to do some of that. They bring accountability but also an
ability to opt out (the latter is hard though - akin to ostracizing oneself
from a community).

~~~
matheusmoreira
It's true that the consequences of being port scanned by some website are
probably negligible. However, that is not the _real_ problem.

The real problem is the _audacity_ of these people. They think they can do
whatever they want. Not only that, they think they are _justified_ in doing
it. They need this information for their own purposes, so they just take it
from people without asking, without even informing them. In their minds, what
they did was not objectionable. They _needed_ to do it, so they didn't do
anything wrong. Those fraudsters left them no choice: they just _had_ to
invade the privacy of every single person who visited their website.

It's the same logic every abuser uses. It betrays a fundamental lack of
respect for the people who use their service. It's impossible to have trust
without this respect.

~~~
dpenguin
This notion of invasion of privacy is all relative. If they ask you for your
mother’s maiden name or first pet or the city where you had your first kiss,
you are okay typing it in a form for them.

If they try to infer the active port numbers on your computer to see if
there’s a Remote Desktop installed by a bot, you’re not okay.

What’s the alternative? Do you want them to disclose everything they do in a
marketing article even though 99.99% of people will have no clue what that
means and 10 of the 100 people that bother to read and understand will use it
against them. To what end? To gain your trust? You - who has already given
them your credit card number, mothers maiden name and city where you first got
intimate with your first partner?

------
oefrha
I never understood why websockets aren’t subject to same origin policy and
CORS (or similar policies). Any web expert here could explain this design
(non-)decision?

~~~
bostik
Surprisingly often websocket connections are made to a different domain from
what is serving the site itself. I'm not sure about the root cause to the
pattern, but sure as hell know that our company has been doing it at least
since 2013.

Browsers set the "Origin" header for ws:// calls, and the websocket servers
are expected to check that. Without the check, it'd be possible to issue blind
writes (CSRF) from random webpages to the ws:// endpoints. If you're using
main site authentication with a separate websocket domain and auth'd requests,
all garden variety security scanners will flag the separate websocket domain
as a problem, and only the robust ones actually try to validate the server
side configuration.

Disclosure: I have triaged and responded to a few of such reports.

~~~
marcosdumay
> Surprisingly often websocket connections are made to a different domain from
> what is serving the site itself.

That's probably because websockets require asynchronous servers optimizing for
number of active connections, while normal sites are best served by servers
optimized for response time.

Of course, you _can_ have both handled by the same origin, but it's not the
blatantly obvious way.

------
z3t4
This is what happens when there is a browser monopoly. Fixing security do not
have priority. Maximizing revenue is the priority. The browser should stop
outgoing connections that are not from the same origin. Then users have to opt
in like with popup windows.

------
soraminazuki
Has anyone confirmed whether they're still continuing this practice? I'm
curious, but at the same time feel highly uncomfortable visiting a website
that has no problems exploiting a browser loophole.

~~~
cfn
Just tried ebay.co.uk and I can see several clear.png calls with 204 and a
payload as described in the article.

------
maett
Extremely well written sum-up, learned a lot about how to approach an
investigation like this. Thank you.

------
eraserj
Just wait until the database of ip and open ports is leaked and hackers start
exploiting vulnerabilities of softwares listening to these ports to break into
random people devices.

~~~
Erwin
That database has existed for ages:
[https://www.shodan.io/](https://www.shodan.io/)

~~~
hedora
Does Shodan have a map of public ip -> natted local network ip:port pairs?

I thought it was only public ip ports.

------
fractal618
Perhaps they've asked threat metrix to handle a portion of their security and
this was their solution?

At the end of the day, we all need to realize that we send out far more
information than we receive when we surf the web.

------
Nightshaxx
I saw him talk about how Threat Matrix is usually blocked.....but Threat
Matrix has their clients get unique endpoint URLs to disguise it. I don't
really know how AdBlock works, but aside from the extra time it would take,
why doesn't adblockers look up the record of any URLs on the page and see if
they are a CNAME for an A url that is on the block list?

~~~
thefreeman
uBlock origin does exactly that on browsers which support it. Which I believe
is only Firefox at this time. [https://github.com/uBlockOrigin/uBlock-
issues/issues/780](https://github.com/uBlockOrigin/uBlock-issues/issues/780)

~~~
Nightshaxx
Well, I was already using Ff+UblockO, so this is just another reason to keep
using it. I would really prefer I not get port scanned.

------
zajio1am
The real issue is not that eBay or some other specific website uses Javascript
to port scan network. The real issue is that browsers allow such behavior by
default.

------
missblit
A couple Chrome devtools debugging tips:

1\. Local Overrides feature allows you to persist and edit source files across
page loads (unfortunately only source files currently, so you're out of luck
if the JS comes from an XHR or something)

2\. F3 on the network panel will let you search for a string across all
resources the page loaded. Can be useful for tracking down where stuff like
user-agent checks are called (if not obfuscated).

Also calling the code obfuscated is pretty generous. It's amazing how common
things like shift ciphers, XOR tricks, etc. are when the browser's REPL cuts
through them like butter.

~~~
nemec0
Thanks for the tips! Local Overrides is new to me and would have helped a lot.
I made heavy use of F3 (also Ctrl+Shift+F) to find my way around those
scripts, and to find my place again after each page refresh.

------
nsajko
[https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act](https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act)

------
SamReidHughes
Huh. I've been using eBay a lot this week, and it might have triggered a
kernel bug. I had terrible internet performance that got resolved by rebooting
my Ubuntu 18.04 laptop.

------
floatingatoll
macOS users, I believe based on my testing that you can block your installed
web browsers from localhost port scanning using LittleSnitch. This way you can
continue to allow WebRTC and WebSockets to the rest of the Internet (where
it's useful), while denying web browsers access to localhost except for
specific ports you allow.

However, I encourage you to be careful and _only_ block web browsers to
localhost using this method, because lots of macOS applications depend on
localhost connections to talk to themselves, so if you block everything from
talking to localhost you may break e.g. LittleSnitch, macOS itself, etc. NO
WARRANTY, HAVE BACKUPS, standard stuff.

To set this up, for each /Applications/Browser.app, create a LittleSnitch
'Deny Connections' To 'IP Addresses' rule and enter '127.0.0.1, ::1' without
quotes into the text field and click OK. Then right-click on the newly-created
application rule and select 'Increase Priority', which will bold the rule text
'Deny outgoing connections to 2 IP addresses'. Repeat this for each
Browser.app you use.

If you'd like to specifically enable certain localhost ports to be accessible
by your browser (such as 80/443), you can create another rule using the above
steps, but before saving the rule, change 'Deny' to 'Allow' and click the '\/'
dropdown caret button and enter the appropriate port and select TCP. I
encountered some UI quirks doing this but once it's created it works as it
should.

Here's a screenshot of the results of my testing for comparing against. I'm
not really familiar with how LS works so I can't offer much support, but I
fresh-installed it and left all the defaults alone and it worked, so more
advanced users shouldn't have much trouble.
[https://i.imgur.com/T0yqrdM.png](https://i.imgur.com/T0yqrdM.png)

Good luck!

(For those wondering if other software can do this, I tested various macOS
application firewalls today and most of them either global-allow localhost
connections or don't offer outbound filtering at all. So far, the only one
that can block web browsers _only_ from connecting to localhost is
LittleSnitch, with some quirks that I wrote a note to their support about. At
least one let me create the rule and cheerfully said it was active and then it
didn't block anything.)

~~~
apple4ever
Ah thanks for this. I was looking for a way to accomplish this. I own LS so
I'm going to give this a shot.

------
gear54rus
What can you possibly know from such a scan?

Standard clearly states that pretty much nothing:
[https://www.w3.org/TR/websockets/#concept-websocket-close-
fa...](https://www.w3.org/TR/websockets/#concept-websocket-close-fail)

Sure they're shady and that needs to be blocked, but security implications?
Pretty much nil.

~~~
cygx
_Sure they 're shady and that needs to be blocked, but security implications?
Pretty much nil._

Fingerprinting. Vulnerability discovery. Messing up programs that don't know
how to deal with unexpected HTTP requests.

------
jokoon
I remember while working at some company, I started using a local flask
server.

For some reason, I remember one company router kept making http request on
port 5000 or 8000, can't remember which port, because it was literally showing
on the terminal, with the http path, at random times.

I'm sure being a hacker must be pretty fun these days.

------
hakcermani
Great article! Finally I got it. Between this one and the original post. 'Why
is this website port scanning me'. Can anyone shed some thoughts / reason why
the scan is not performed on Linux machines? Maybe not RDP, but VNC servers
that the scan performs on Windows m/cs ..

------
_trampeltier
Could for ex. a website like ebay also access the intern Intranet in a
company? Or my cloudstorage like SharePoint that is open in the same browser?

------
dnebdal
Here's how to block websites from port-scanning localhost through the browser:
[https://www.ctrl.blog/entry/block-localhost-port-
scans.html](https://www.ctrl.blog/entry/block-localhost-port-scans.html)

------
zimaalsu
I thought it was no secret to anyone that all services track digital
fingerprints ... and there are many ways to do this. to fight them i use
antidetection browser such as
[https://gologinapp.com/](https://gologinapp.com/) or other. Are there any
alternatives to this?

------
uniformlyrandom
Google's internal sso (which I accidentally stumbled upon) collects other
endpoint-specific parameters to compose the digital signature (like browser
window size and monitor size).

This feels more effective and less intrusive. Not sure why ebay went this
rather weird and creepy way instead.

~~~
rtkwe
Looking for fraud signs is my guess, people don't usually use eBay through
TeamViewer so if it's on and the port is open then an otherwise normal
transaction gets really suspicious for example. They're probably feeding the
open port info into their model to determine fraud risk for user logins and
transactions.

They may not even be using it actively yet because they'd need to gather a lot
of example data to detect outliers.

~~~
solnyshok
how can they differentiate between idling tv server running on (all) my
machines vs. active tv session?

~~~
rtkwe
I don't know if there's a detectable difference just looking at the ports;
just having TeamViewer installed slightly increases the risk of any
transaction being fraudulent though. I'm just trying to provide an example of
how port data could be used for a meaningful purpose. Even just as an
additional fingerprinting component it could be useful.

------
olliej
wasn't this on the front page just a few days ago?

~~~
scollet
More than one discussion can be had.

~~~
Wowfunhappy
I respectfully disagree in this case—the last story was too recent, and this
one does not contain any significant new information, so we're likely to end
up just rehashing the same points (and have so far, in my estimation).

Edit: But, thefreeman above just informed me there's actual new information in
this article (which I originally hadn't read, because the comments here made
me assume it was the same as the last story on HN). So, thanks!

------
sloshnmosh
I immediately thought about this after reading the Wikipedia page of Peter
Theil and Palentir where he stated he wanted to use technology that was used
to protect PayPal (that was purchased by eBay)

------
lazyjones
I thought it would be obvious that eBay is doing this to identify bots
(usually on servers) vs. real users (on client-only devices).

~~~
meowface
That is one of the main purposes, yes. I have no problem with it, personally.
Many HN users are very privacy-conscious and consider it not acceptable for
any purpose, though; including that one. I think both positions are fine.

~~~
lazyjones
> Many HN users are very privacy-conscious and consider it not acceptable for
> any purpose, though; including that one

It's an opinion, I suppose, but it doesn't seem to be based on reasonable
expectations. Anyone can portscan anyone else, lots of security researchers
have published their findings from portscanning large IP address ranges etc.
... If I don't want other people to see or access open ports on my system, I
can firewall them.

~~~
detaro
External portscans are quite different from using your own machine to portscan
itself/the local network.

------
jurassic
I'm just a layman, but I don't see how ThreatMatrix could possibly be seen as
within the spirit of GDPR. I hope regulators throw the book here.

------
igravious
Humanity constructed something wonderful and new. (The internet.) And the
corporate web has all but destroyed it.

~~~
phs318u
Slightly OT but I’d suggest that the thing that has “ruined” the internet (for
me) more than any other single thing are trolls, and they predate the
corporate web by a long way.

~~~
anewdirection
I would take 2x trolls over the abusive advertising and tracking network we
have now.

