SoylentNews is people
SoylentNews
eBay users spot the online auction house port-scanning their PCs. Um... is that OK?:
Updated Users visiting eBay have spotted that the website runs port scans against their computer, using the localhost address to inspect what may be running on your machine.
Fraud is a big issue for eBay, and if the purpose of scanning for remote-control access ports is an attempt to detect criminals logged into a user's computer in order to impersonate them on the tat bazaar, it could have some value. The behaviour, however, was described as "clearly malicious" by security researcher Charles Belmer.
The script attempts WebSocket connections to a number of ports, including 3389 (Microsoft remote desktop), 5931 (Ammy Admin remote desktop), 6333 (VNC remote connection), 7070 (realAudio and Apple QuickTime streaming) and more. The script is running locally so it is not testing for ports exposed to the internet, but rather for what is running on your local network. The port scanning script does not always run. We have only seen it run on Windows, and normally only on the first visit to eBay after some unspecified period.
Developer Dan Nemec used browser debugging tools to trace what is going on – a job made harder, he said, by JavaScript code that is "re-obfuscated on every page load" so that variables names change every time.
It is odd, though: not all the code is obfuscated, so if the script's creators really wanted to cover their tracks they could have done a better job.
Nemec did discover several points of interest, however. One is that the source of the script, called check.js, is src.ebay-us.com, which is a CNAME record pointing at h-ebay.online-metrix.net, which belongs to an organisation called ThreatMetrix Inc, part of LexisNexis Risk Solutions.
Following the scan, Nemec observed, the web page requests images, again from the Threat Metrix domain, which return a 204 code meaning "no content". The payload is in the argument accompanying the requests, which when decrypted contains the results of the port scan and other information, including the user agent (browser identifier), public IP address, and "other data, signatures and things I don't recognize," said Nemec.
[...] Updated to add
eBay got back to us to say that it is "committed to creating an experience on our sites and services that is safe, secure and trustworthy," though it has not responded to any specific concerns over privacy or security. We understand that the reason for the port scanning script is fraud prevention, seemingly by flagging up machines that may be under remote control by miscreants.
(Score: 4, Interesting) by looorg on Wednesday May 27 2020, @03:07PM (4 children)
Doesn't that sort of make it javascript malware? That they didn't make a better job at hiding it just speak to their competency.
It might not only be an issue if it's "ok", there might also be legal issues. As I recall there are cases where port scanning was considered to be hacking and sort preparation for a cybercrime. It might be a bit of a nightmare since I doubt they checked with every state and every country to know if they are in compliance and not to mention that people could be obfuscating their actual location via a VPN etc. So is this something that just happens on US Ebay or all their various euro-mirrors etc to?
(Score: 2) by cykros on Wednesday May 27 2020, @03:47PM (3 children)
The list of things that have been considered hacking at some point throughout history is long and at times amusing. Using google to find files that probably should be private but aren't and are thus served up to the public unsecured has come up more than once...a bit like charging you with espionage for reading state secrets that were accidentally printed on a billboard.
If I point my browser to a url at port 80, find nothing, and then try it on 8000, is that a port scan? Does it being automated significantly change anything about the nature of what I'm doing?
The only wiggle room I can see for issue with this is the fact that it is being done on localhost, rather than from the remote server. But that is true for all manner of javascript, plenty of which I'd argue is equally questionable. Perhaps it is time to set some precedent for what is and isn't acceptable on that front. But I don't think port scanning as a whole should be the focal point here.
(Score: 0) by Anonymous Coward on Wednesday May 27 2020, @04:12PM (1 child)
Maybe. Intentions matter.
(Score: 2) by PiMuNu on Thursday May 28 2020, @01:26PM
> Intentions matter.
Mens Rea, in the legal jargon...
(Score: 1, Interesting) by Anonymous Coward on Wednesday May 27 2020, @05:52PM
Yes, it does. Much of the justice system has been predicated on the fact that many tasks are intractable at scale, and therefore not regulated. If you introduce scale, you're outside of the original intent of many laws.