eBay is port scanning visitors to their website

478 点作者 joering2将近 5 年前

31 条评论

Maxious将近 5 年前

This might explain why some preinstalled HP laptop software (with open ports?) causes a BSOD when users visit ebay <a href="https://h30434.www3.hp.com/t5/Notebook-Operating-System-and-Recovery/Blu-screen-error-after-login-to-ebay-costumer-page/td-p/6692602" rel="nofollow">https://h30434.www3.hp.com/t5/Notebook-Operating-System-and-...</a>

评论 #23440778 未加载

评论 #23438352 未加载

评论 #23439958 未加载

评论 #23441574 未加载

mehrdadn将近 5 年前

I asked this earlier and nobody had a response, so thought I'd ask it again: is there an extension to block this?Edit: @Windows users: pip install pydivert and then try to write a script to block connections from Chrome to non-Chrome processes. you might need GetTcpTable2() or something. (Looking into this now. Check out <a href="http://stackoverflow.com/a/25431340" rel="nofollow">http://stackoverflow.com/a/25431340</a>)

评论 #23437630 未加载

评论 #23437581 未加载

评论 #23437830 未加载

评论 #23441538 未加载

评论 #23438578 未加载

评论 #23440571 未加载

评论 #23440729 未加载

评论 #23441831 未加载

评论 #23437586 未加载

mobilio将近 5 年前

It's crystal clear why they do this.Many companies or persons share their desktops for remote usage. Later they sell this service to eBay users. And they're using it for different fraudulent activities - from making real sales (just for stars) to bidding to own items (for rising price).For years eBay fight this.

评论 #23437864 未加载

评论 #23437796 未加载

评论 #23437639 未加载

评论 #23437608 未加载

评论 #23439332 未加载

评论 #23439754 未加载

gkoberger将近 5 年前

A similar article was on HN a few days ago:<a href="https://www.bleepingcomputer.com/news/security/list-of-well-known-web-sites-that-port-scan-their-visitors/" rel="nofollow">https://www.bleepingcomputer.com/news/security/list-of-well-...</a>Here's the discussion about it:<a href="https://news.ycombinator.com/item?id=23361823" rel="nofollow">https://news.ycombinator.com/item?id=23361823</a>

cube00将近 5 年前

Previous discussion: <a href="https://news.ycombinator.com/item?id=23246170" rel="nofollow">https://news.ycombinator.com/item?id=23246170</a>

评论 #23437525 未加载

nerdbaggy将近 5 年前

The company that is actually providing this service is by Lexis Nexis <a href="https://risk.lexisnexis.com/corporations-and-non-profits/fraud-and-identity-management" rel="nofollow">https://risk.lexisnexis.com/corporations-and-non-profits/fra...</a>

dpenguin将近 5 年前

eBay has a big fraud headache. They have a bunch of algorithms (from the pre-ML-hype days) that take a variety of inputs to determine whether a given transaction is fraudulent or not. Presence of remote login service on the user’s computer may tip the scale heavily in this calculation. Fraud detection is a necessary evil for all financial transaction companies in order to keep costs low for everyone else.If you’re worried about privacy, use CCPA’s right to information and ask them for a dump of everything they have on you. They are supposed to give you info that other SPs like Threatmetrix have on you as well if they really are transmitting it to 3rd parties.

评论 #23440389 未加载

评论 #23438277 未加载

评论 #23438215 未加载

评论 #23438317 未加载

oefrha将近 5 年前

I never understood why websockets aren’t subject to same origin policy and CORS (or similar policies). Any web expert here could explain this design (non-)decision?

评论 #23440390 未加载

评论 #23440365 未加载

z3t4将近 5 年前

This is what happens when there is a browser monopoly. Fixing security do not have priority. Maximizing revenue is the priority. The browser should stop outgoing connections that are not from the same origin. Then users have to opt in like with popup windows.

soraminazuki将近 5 年前

Has anyone confirmed whether they're still continuing this practice? I'm curious, but at the same time feel highly uncomfortable visiting a website that has no problems exploiting a browser loophole.

评论 #23437860 未加载

maett将近 5 年前

Extremely well written sum-up, learned a lot about how to approach an investigation like this. Thank you.

eraserj将近 5 年前

Just wait until the database of ip and open ports is leaked and hackers start exploiting vulnerabilities of softwares listening to these ports to break into random people devices.

评论 #23437733 未加载

评论 #23437745 未加载

fractal618将近 5 年前

Perhaps they've asked threat metrix to handle a portion of their security and this was their solution?At the end of the day, we all need to realize that we send out far more information than we receive when we surf the web.

Nightshaxx将近 5 年前

I saw him talk about how Threat Matrix is usually blocked.....but Threat Matrix has their clients get unique endpoint URLs to disguise it. I don't really know how AdBlock works, but aside from the extra time it would take, why doesn't adblockers look up the record of any URLs on the page and see if they are a CNAME for an A url that is on the block list?

评论 #23439398 未加载

zajio1am将近 5 年前

The real issue is not that eBay or some other specific website uses Javascript to port scan network. The real issue is that browsers allow such behavior by default.

missblit将近 5 年前

A couple Chrome devtools debugging tips:1. Local Overrides feature allows you to persist and edit source files across page loads (unfortunately only source files currently, so you're out of luck if the JS comes from an XHR or something)2. F3 on the network panel will let you search for a string across all resources the page loaded. Can be useful for tracking down where stuff like user-agent checks are called (if not obfuscated).Also calling the code obfuscated is pretty generous. It's amazing how common things like shift ciphers, XOR tricks, etc. are when the browser's REPL cuts through them like butter.

评论 #23440836 未加载

nsajko将近 5 年前

<a href="https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act" rel="nofollow">https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act</a>

SamReidHughes将近 5 年前

Huh. I've been using eBay a lot this week, and it might have triggered a kernel bug. I had terrible internet performance that got resolved by rebooting my Ubuntu 18.04 laptop.

floatingatoll将近 5 年前

macOS users, I believe based on my testing that you can block your installed web browsers from localhost port scanning using LittleSnitch. This way you can continue to allow WebRTC and WebSockets to the rest of the Internet (where it's useful), while denying web browsers access to localhost except for specific ports you allow.However, I encourage you to be careful and only block web browsers to localhost using this method, because lots of macOS applications depend on localhost connections to talk to themselves, so if you block everything from talking to localhost you may break e.g. LittleSnitch, macOS itself, etc. NO WARRANTY, HAVE BACKUPS, standard stuff.To set this up, for each /Applications/Browser.app, create a LittleSnitch 'Deny Connections' To 'IP Addresses' rule and enter '127.0.0.1, ::1' without quotes into the text field and click OK. Then right-click on the newly-created application rule and select 'Increase Priority', which will bold the rule text 'Deny outgoing connections to 2 IP addresses'. Repeat this for each Browser.app you use.If you'd like to specifically enable certain localhost ports to be accessible by your browser (such as 80/443), you can create another rule using the above steps, but before saving the rule, change 'Deny' to 'Allow' and click the '\/' dropdown caret button and enter the appropriate port and select TCP. I encountered some UI quirks doing this but once it's created it works as it should.Here's a screenshot of the results of my testing for comparing against. I'm not really familiar with how LS works so I can't offer much support, but I fresh-installed it and left all the defaults alone and it worked, so more advanced users shouldn't have much trouble. <a href="https://i.imgur.com/T0yqrdM.png" rel="nofollow">https://i.imgur.com/T0yqrdM.png</a>Good luck!(For those wondering if other software can do this, I tested various macOS application firewalls today and most of them either global-allow localhost connections or don't offer outbound filtering at all. So far, the only one that can block web browsers only from connecting to localhost is LittleSnitch, with some quirks that I wrote a note to their support about. At least one let me create the rule and cheerfully said it was active and then it didn't block anything.)

评论 #23441361 未加载

gear54rus将近 5 年前

What can you possibly know from such a scan?Standard clearly states that pretty much nothing: <a href="https://www.w3.org/TR/websockets/#concept-websocket-close-fail" rel="nofollow">https://www.w3.org/TR/websockets/#concept-websocket-close-fa...</a>Sure they're shady and that needs to be blocked, but security implications? Pretty much nil.

评论 #23438177 未加载

评论 #23438114 未加载

评论 #23438165 未加载

jokoon将近 5 年前

I remember while working at some company, I started using a local flask server.For some reason, I remember one company router kept making http request on port 5000 or 8000, can't remember which port, because it was literally showing on the terminal, with the http path, at random times.I'm sure being a hacker must be pretty fun these days.

hakcermani将近 5 年前

Great article! Finally I got it. Between this one and the original post. 'Why is this website port scanning me'. Can anyone shed some thoughts / reason why the scan is not performed on Linux machines? Maybe not RDP, but VNC servers that the scan performs on Windows m/cs ..

_trampeltier将近 5 年前

Could for ex. a website like ebay also access the intern Intranet in a company? Or my cloudstorage like SharePoint that is open in the same browser?

dnebdal将近 5 年前

Here's how to block websites from port-scanning localhost through the browser: <a href="https://www.ctrl.blog/entry/block-localhost-port-scans.html" rel="nofollow">https://www.ctrl.blog/entry/block-localhost-port-scans.html</a>

zimaalsu将近 5 年前

I thought it was no secret to anyone that all services track digital fingerprints ... and there are many ways to do this. to fight them i use antidetection browser such as <a href="https://gologinapp.com/" rel="nofollow">https://gologinapp.com/</a> or other. Are there any alternatives to this?

uniformlyrandom将近 5 年前

Google's internal sso (which I accidentally stumbled upon) collects other endpoint-specific parameters to compose the digital signature (like browser window size and monitor size).This feels more effective and less intrusive. Not sure why ebay went this rather weird and creepy way instead.

评论 #23440496 未加载

olliej将近 5 年前

wasn't this on the front page just a few days ago?

评论 #23439410 未加载

评论 #23437539 未加载

sloshnmosh将近 5 年前

I immediately thought about this after reading the Wikipedia page of Peter Theil and Palentir where he stated he wanted to use technology that was used to protect PayPal (that was purchased by eBay)

lazyjones将近 5 年前

I thought it would be obvious that eBay is doing this to identify bots (usually on servers) vs. real users (on client-only devices).

评论 #23439627 未加载

jurassic将近 5 年前

I'm just a layman, but I don't see how ThreatMatrix could possibly be seen as within the spirit of GDPR. I hope regulators throw the book here.

igravious将近 5 年前

Humanity constructed something wonderful and new. (The internet.) And the corporate web has all but destroyed it.

评论 #23437593 未加载