Ebay & port scanning

richardtoohey2

Active Member

Reaction score: 35
Messages: 100

Not sure, but it's JavaScript running on your machine, probing local ports (so not coming from outside the machine).

So until someone proves me wrong, I'd assume it would work just about anywhere.

What I've read so far seems to say it has only been noticed on Windows machines, and it seems to be infrequent (or the when-to-scan pattern hasn't been worked out yet.)

EDIT: but having looked a bit more I'm not so sure I understand how it works. There are WebSockets but they seem too limited for this.
 

ralphbsz

Daemon

Reaction score: 1,480
Messages: 2,431

The Register (always an amusing thing to read) talked about this a few days ago. I think it works as follows: The you go to eBay's web page, it downloads a lot of Javascript (nearly all web pages do today). In this case, that contains a security toolkit, which tries to figure out whether the machine that the web browser is running on has been hacked or not; one of the indication they use is whether the machine has open ports that allow remotely controlling it (like remote desktop applications, such as Microsoft's version of VNC). That sounds like a sensible security precaution on the part of eBay. Except the way they're doing it is pretty heavy-handed: Touching ports on the local machine is kind of rude. It's like you've been invited into a house (the user downloaded the web page after all), and when you go to the bathroom you open the cabinets looking for embarrassing things. The Register even had a picture of the source code that runs. It seems pretty obvious using JS to do this.

The need for eBay to make a determination whether a user of their service is a fraud or not is obvious. That includes reasonable precautions against hacked computers connecting to them. This makes sense. The question is whether port-scanning their computer is an ethical and legal way to do this is obviously nasty and difficult. To get back to my example above: when I get invited for dinner, I obviously make sure that the invitation is legit; for example, if the dinner host is wearing a mask and swinging a chainsaw around, that should legitimately raise some alarm bells. But would it be ethical to rummage through their bathroom drawers, looking for hemorrhoid medication and sex toys? Most of us would probably not thing so.

I have no idea whether the JS would do this on other OSes (they typically don't use the same remote control applications). I'm sure the good people at eBay and their security contractors know how to be efficient.
 

richardtoohey2

Active Member

Reaction score: 35
Messages: 100

The Register story code snippet is showing WebSocket being the method used e.g.
Code:
var ws=new WebSocket("wss://127.0.0.1:25/");
That doesn't get me very far (but I'm trying on OpenBSD).

You can try the above snippet in Firefox - F12 to get the developer tools, open the Console tab and paste it in (you might get a warning about changing settings to allow things to be pasted).
 

ralphbsz

Daemon

Reaction score: 1,480
Messages: 2,431

I don't know enough JS to debug those lines ... but I'm sure that JS can open sockets and send/receive data in this general fashion.
 

unitrunker

Well-Known Member

Reaction score: 133
Messages: 401

I don't see how detecting an open port proves the client has a back door. There must be more to it.
 

richardtoohey2

Active Member

Reaction score: 35
Messages: 100

That's what I thought, but supposedly the creators/extenders of JavaScript realised allowing any ports would cause security issues so functionality is meant to be restricted to ports 80/443 ("ws" and "wss" under WebSockets instead of http/https).

But the code snippets shown on The Register are showing the old colon port-number e.g. :3389 approach that you can put on URLs (or is that URIs?) to try and open different ports.

If I try e.g. ports 22 or 25 I get this:

SecurityError: The operation is insecure.

If I try port 80 (I do have Apache listening) I get

Firefox can’t establish a connection to the server at wss://127.0.0.1:80/.

I will have a try on Firefox on Windows to see how the technique is meant to work (if I can get it working there.)

They've obviously (?) got it to work but I'm not seeing how yet. :-/
 

richardtoohey2

Active Member

Reaction score: 35
Messages: 100

I don't see how detecting an open port proves the client has a back door. There must be more to it.
I think the idea is that eBay can detect that the browser is on a machine running a remote control program (e.g. VNC) - so perhaps that machine has been backdoored, so they (eBay) need to treat anything that happens in that session as potentially compromised. So maybe (wild guesses!) they log more or lower limits, or demand extra authentication before anything major is done.
 

Elazar

Well-Known Member

Reaction score: 105
Messages: 250

I hate that my browser supports this. I really blame the browser, not javascript or ebay.
 

getopt

Aspiring Daemon

Reaction score: 451
Messages: 735

I hate that my browser supports this. I really blame the browser, not javascript or ebay.
Instead of hating (which is a stupid emotion) a piece of software (your browser) and blaming something that is outside yourself you'd better blame yourself for not having understood and not having learned what JavaScript is doing in your browser (any browsers).

There are lots of add-ons for browsers which can control if you want to disable JavaScript completely, site-wise or script-wise.

See that you blamed yourself?
 

wolffnx

Well-Known Member

Reaction score: 62
Messages: 354

The entire post was a wake up call to me respect to JS and my web browsing

Searched a little bit and found that WebSockets can't listen for conecctions
(if anybody knows more about this please advice!!)
so theoretically JS only can scans for ports, is bad but good at same time because in
my case I'only open SSHD when i'need it

There are lots of add-ons for browsers which can control if you want to disable JavaScript completely, site-wise or script-wise.
always made me think, "why there JS blockers exists? " , now I'get the answer , they are a good choise
 

msplsh

Active Member

Reaction score: 51
Messages: 216

Deny websockets to loopback / private IP addresses / link local addresses seems like an easy browser option...
 
OP
Alain De Vos

Alain De Vos

Well-Known Member

Reaction score: 89
Messages: 483

If i'm correct websockets can only "scan" for "certain tcp handshakes".
ps, when you disable javascript entirely your browser becomes useless for almost every site.
 

Jose

Active Member

Reaction score: 102
Messages: 218

I wonder if they're using DNS rebinding to work around browser security restrictions. I've had OK luck turning Javascript off on a site by site basis using Ublock Origin, usually to work around sites that refuse to load in private mode. Most sites are still readable even with JS off.
 

da1

Aspiring Daemon

Reaction score: 96
Messages: 881

well, f**k. not so nice s**t to read about your employer ....
 

richardtoohey2

Active Member

Reaction score: 35
Messages: 100

I think the motivation isn't bad - trying to prevent fraud by detecting machines that have been taken over by malicious actors.

But "hidden" local port-scanning when you are looking at an ecommerce website does not feel right.

Do the ends justify the means?
 
Top