# Ebay & port scanning



## Alain De Vos (May 30, 2020)

A rather fascinating story.








						Is eBay Port Scanning Your PC? (Probably)
					

Using eBay causes your Windows PC’s ports to be scanned—personal data gets silently sent back to the mothership.




					securityboulevard.com
				



Will it work on freebsd ?


----------



## richardtoohey2 (May 30, 2020)

Not sure, but it's JavaScript running on your machine, probing local ports (so not coming from outside the machine).

So until someone proves me wrong, I'd assume it would work just about anywhere.

What I've read so far seems to say it has only been noticed on Windows machines, and it seems to be infrequent (or the when-to-scan pattern hasn't been worked out yet.)

EDIT: but having looked a bit more I'm not so sure I understand how it works.  There are WebSockets but they seem too limited for this.


----------



## ralphbsz (May 30, 2020)

The Register (always an amusing thing to read) talked about this a few days ago. I think it works as follows: The you go to eBay's web page, it downloads a lot of Javascript (nearly all web pages do today). In this case, that contains a security toolkit, which tries to figure out whether the machine that the web browser is running on has been hacked or not; one of the indication they use is whether the machine has open ports that allow remotely controlling it (like remote desktop applications, such as Microsoft's version of VNC). That sounds like a sensible security precaution on the part of eBay. Except the way they're doing it is pretty heavy-handed: Touching ports on the local machine is kind of rude. It's like you've been invited into a house (the user downloaded the web page after all), and when you go to the bathroom you open the cabinets looking for embarrassing things. The Register even had a picture of the source code that runs. It seems pretty obvious using JS to do this.

The need for eBay to make a determination whether a user of their service is a fraud or not is obvious. That includes reasonable precautions against hacked computers connecting to them. This makes sense. The question is whether port-scanning their computer is an ethical and legal way to do this is obviously nasty and difficult. To get back to my example above: when I get invited for dinner, I obviously make sure that the invitation is legit; for example, if the dinner host is wearing a mask and swinging a chainsaw around, that should legitimately raise some alarm bells. But would it be ethical to rummage through their bathroom drawers, looking for hemorrhoid medication and sex toys? Most of us would probably not thing so.

I have no idea whether the JS would do this on other OSes (they typically don't use the same remote control applications). I'm sure the good people at eBay and their security contractors know how to be efficient.


----------



## richardtoohey2 (May 30, 2020)

The Register story code snippet is showing WebSocket being the method used e.g.

```
var ws=new WebSocket("wss://127.0.0.1:25/");
```

That doesn't get me very far (but I'm trying on OpenBSD).

You can try the above snippet in Firefox - F12 to get the developer tools, open the Console tab and paste it in (you might get a warning about changing settings to allow things to be pasted).


----------



## ralphbsz (May 30, 2020)

I don't know enough JS to debug those lines ... but I'm sure that JS can open sockets and send/receive data in this general fashion.


----------



## unitrunker (May 30, 2020)

I don't see how detecting an open port proves the client has a back door. There must be more to it.


----------



## richardtoohey2 (May 30, 2020)

That's what I thought, but supposedly the creators/extenders of JavaScript realised allowing *any* ports would cause security issues so functionality is _meant_ to be restricted to ports 80/443 ("ws" and "wss" under WebSockets instead of http/https).

But the code snippets shown on The Register are showing the old colon port-number e.g. :3389 approach that you can put on URLs (or is that URIs?) to try and open different ports.

If I try e.g. ports 22 or 25 I get this:

_SecurityError: The operation is insecure._

If I try port 80 (I do have Apache listening) I get 

_Firefox can’t establish a connection to the server at wss://127.0.0.1:80/._

I will have a try on Firefox on Windows to see how the technique is meant to work (if I can get it working there.)

They've obviously (?) got it to work but I'm not seeing how yet.


----------



## richardtoohey2 (May 30, 2020)

unitrunker said:


> I don't see how detecting an open port proves the client has a back door. There must be more to it.


I think the idea is that eBay can detect that the browser is on a machine running a remote control program (e.g. VNC) - so _perhaps_ that machine has been backdoored, so they (eBay) need to treat anything that happens in that session as potentially compromised. So maybe (wild guesses!) they log more or lower limits, or demand extra authentication before anything major is done.


----------



## George (May 30, 2020)

I hate that my browser supports this. I really blame the browser, not javascript or ebay.


----------



## getopt (May 30, 2020)

Elazar said:


> I hate that my browser supports this. I really blame the browser, not javascript or ebay.


Instead of hating (which is a stupid emotion) a piece of software (your browser) and blaming something that is outside yourself you'd better blame yourself for not having understood and not having learned what JavaScript is doing in your browser (any browsers).

There are lots of add-ons for browsers which can control if you want to disable JavaScript completely, site-wise or script-wise. 

See that you blamed yourself?


----------



## wolffnx (May 30, 2020)

The entire post was a wake up call to me respect to JS and my web browsing

Searched a little bit and found that WebSockets *can't listen* for conecctions 
(if anybody knows more about this please advice!!)
so theoretically JS only can scans for ports, is bad but good at same time because in
my case I'only open SSHD when i'need it



getopt said:


> There are lots of add-ons for browsers which can control if you want to disable JavaScript completely, site-wise or script-wise.



always made me think, "why there JS blockers exists? " , now I'get the answer , they are a good choise


----------



## msplsh (May 30, 2020)

Deny websockets to loopback / private IP addresses / link local addresses seems like an easy browser option...


----------



## Alain De Vos (May 30, 2020)

If i'm correct websockets can only "scan" for "certain tcp handshakes".
ps, when you disable javascript entirely your browser becomes useless for almost every site.


----------



## Jose (May 30, 2020)

I wonder if they're using DNS rebinding to work around browser security restrictions. I've had OK luck turning Javascript off on a site by site basis using Ublock Origin, usually to work around sites that refuse to load in private mode. Most sites are still readable even with JS off.


----------



## da1 (Jun 1, 2020)

well, f**k. not so nice s**t to read about your employer ....


----------



## richardtoohey2 (Jun 2, 2020)

I think the _motivation_ isn't bad - trying to prevent fraud by detecting machines that have been taken over by malicious actors.

But "hidden" local port-scanning when you are looking at an ecommerce website does not feel right.

Do the ends justify the means?


----------

