eBay users spot the online auction house port-scanning their PCs. Um... is that OK?:
Updated Users visiting eBay have spotted that the website runs port scans against their computer, using the localhost address to inspect what may be running on your machine.
Fraud is a big issue for eBay, and if the purpose of scanning for remote-control access ports is an attempt to detect criminals logged into a user's computer in order to impersonate them on the tat bazaar, it could have some value. The behaviour, however, was described as "clearly malicious" by security researcher Charles Belmer.
The script attempts WebSocket connections to a number of ports, including 3389 (Microsoft remote desktop), 5931 (Ammy Admin remote desktop), 6333 (VNC remote connection), 7070 (realAudio and Apple QuickTime streaming) and more. The script is running locally so it is not testing for ports exposed to the internet, but rather for what is running on your local network. The port scanning script does not always run. We have only seen it run on Windows, and normally only on the first visit to eBay after some unspecified period.
Developer Dan Nemec used browser debugging tools to trace what is going on – a job made harder, he said, by JavaScript code that is "re-obfuscated on every page load" so that variables names change every time.
It is odd, though: not all the code is obfuscated, so if the script's creators really wanted to cover their tracks they could have done a better job.
Nemec did discover several points of interest, however. One is that the source of the script, called check.js, is src.ebay-us.com, which is a CNAME record pointing at h-ebay.online-metrix.net, which belongs to an organisation called ThreatMetrix Inc, part of LexisNexis Risk Solutions.
Following the scan, Nemec observed, the web page requests images, again from the Threat Metrix domain, which return a 204 code meaning "no content". The payload is in the argument accompanying the requests, which when decrypted contains the results of the port scan and other information, including the user agent (browser identifier), public IP address, and "other data, signatures and things I don't recognize," said Nemec.
[...] Updated to add
eBay got back to us to say that it is "committed to creating an experience on our sites and services that is safe, secure and trustworthy," though it has not responded to any specific concerns over privacy or security. We understand that the reason for the port scanning script is fraud prevention, seemingly by flagging up machines that may be under remote control by miscreants.
(Score: 3, Touché) by Anonymous Coward on Wednesday May 27 2020, @03:06PM (8 children)
Is that OK? No.
But what will you do? Go to competing site? For all 3 users of audience?
We had a decentralized Net. We wanted centralization. Now we have what we wanted.
(Score: 4, Insightful) by SomeGuy on Wednesday May 27 2020, @06:49PM (7 children)
Really. Unfortunately the only competition I even know of with any kind of critical mass is some sort of Facebook thing. Compared to Facefook, eBay still looks not so bad.
The future is here. If you want to do business, you have to bend over and let someone probe your port. And you will be happy about it.
(Score: 3, Insightful) by captain normal on Wednesday May 27 2020, @07:32PM (1 child)
I've had great success buying and selling using craigslist.
https://sfbay.craigslist.org/ [craigslist.org]
You can find a site near you at https://craigslist.org. [craigslist.org.]
When life isn't going right, go left.
(Score: 2) by SomeGuy on Thursday May 28 2020, @12:08PM
Craigslist is good, but not quite the same sort of thing. Usually used for local sales.
As others mention, for new stuff plenty of vendors have their own sites as well as Amazon.
But for things like collectibles and used items that one might want to sell over the entire US or globally, eBay still seems to be the only game in town.
(Score: 2) by Mykl on Wednesday May 27 2020, @10:23PM (4 children)
There are alternatives to eBay out there. My wife and I stopped using it years ago (because it is a wretched hive of scum and villainy).
If you want to buy new products, there are heaps of vendors out there selling directly or through other places. There's also Amazon (not saying they're great, just that they're not as bad as eBay).
Most countries have some form of second-hand market. The US has Craigslist. Australia has Gumtree [gumtree.com.au]. I'm sure there are plenty more in other countries.
(Score: 1, Interesting) by Anonymous Coward on Thursday May 28 2020, @02:18AM (2 children)
eBay owns Gumtree Australia,
I don't expect you to believe me - google it yourself.
(Score: 3, Touché) by Mykl on Thursday May 28 2020, @03:23AM (1 child)
Well ... shit.
(Score: 2, Interesting) by Anonymous Coward on Thursday May 28 2020, @06:28AM
Didn't you spot all the embedded fleabay crud creeping in after they borg'd it when you searched for anything on gumtree?
As a souk, gumtree has become increasingly 'sketchy', scammers were always there, but back in the past, when gumtree was both independent and a bunch of Perl code (and not the bloated shit it is now..) you reported a scammer, their postings were dealt with...whereas now, under fleabay control..
Two examples I got fed up reporting here in the UK.
1. A persistent scammer, a business selling Chinese tat workshop equipment had adverts where the seller was listed as one of a group of 5 individuals (all listed at companies house as being officers of said company) rather than the company itself, this being a means of trying to sidestep the company's legal responsibilities for the dodgy chinese tat under the Consumers Right Act by making it appear that all these sales were private...reported the adverts every time I came across them, one year on, they were still at it. I eventually passed the details on to the Trading Standards people down in London where these shits were based, the adverts stopped within a fortnight.
2. Another persistent scammer, this one selling 'warez' at £10 a pop. That, I would have ignored, but it was the fact that he was supplying stuff loaded with Trojans that made me report the bugger..how do I know? Guess who got handed a laptop 'to have a look at' after the owner had installed Autocad from one of this gentlemans finest DVD-Rs and the laptop then started 'acting strange'. This scammer helpfully supplied install instructions, the first one being 'Disable your antivirus software.' the laptop's owner had purchased several DVDs from this shithead, I scanned them, all infected, asking where he got the things lead me to the gumtree postings.
Same story, reported every incidence of his adverts, detailing he was supplying illegal copies of commercial software infected with trojans, bugger all got done. After three months I had to threaten them with FAST and the Business Software Alliance before they finally took any action, though, chances are he's back in business with a new burner mobile number and email address.
The local joke about gumtree is that it's the first place to check if anything of yours is stolen, especially motorbikes and tools, my favourite one so far - the 2 km drums (yes, plural) of optical fibre being sold from a residential address, a flat in a sketchy part of a neighbouring town...not a million miles away from where a new housing development was being cabled up.
(Score: 0) by Anonymous Coward on Thursday May 28 2020, @11:04AM
Gumtree is available in many countries alongside other, regional boards. And here's the situation in my country, for these informed:
1. The main local auction site was good since 2001 until about 2012. Now, they became monopoly, so they decided to go eBay way, including running malware on a computer, blocking users and taking money not for auction, but for showing shipping option (!). There is an alternative, in the last 10 years they had TWO auctions: One in 2012 called "TEST - DO NOT BID" and the second was in 2017 called "TEST TEST TEST".
2. The main auction site bought the main local classified ads site, which means that they pushed personal auctions away from auctions and forced them to the classifieds. Simultaneously they raised prices of these small ads so high that now I visit a bunch of hobby forums to get info who is selling what. Many people started to move to Gumtree.
3. The main classified ads site, along revamp of auction site discussed earlier, got a web interface which is unbearable intentionally only to force users install a rogue app which requires access to GPS, camera and microphone.
There certainly must be some technology to solve these problems. But I think the main problem is between chair and keyboard.
(Score: 4, Interesting) by looorg on Wednesday May 27 2020, @03:07PM (4 children)
Doesn't that sort of make it javascript malware? That they didn't make a better job at hiding it just speak to their competency.
It might not only be an issue if it's "ok", there might also be legal issues. As I recall there are cases where port scanning was considered to be hacking and sort preparation for a cybercrime. It might be a bit of a nightmare since I doubt they checked with every state and every country to know if they are in compliance and not to mention that people could be obfuscating their actual location via a VPN etc. So is this something that just happens on US Ebay or all their various euro-mirrors etc to?
(Score: 2) by cykros on Wednesday May 27 2020, @03:47PM (3 children)
The list of things that have been considered hacking at some point throughout history is long and at times amusing. Using google to find files that probably should be private but aren't and are thus served up to the public unsecured has come up more than once...a bit like charging you with espionage for reading state secrets that were accidentally printed on a billboard.
If I point my browser to a url at port 80, find nothing, and then try it on 8000, is that a port scan? Does it being automated significantly change anything about the nature of what I'm doing?
The only wiggle room I can see for issue with this is the fact that it is being done on localhost, rather than from the remote server. But that is true for all manner of javascript, plenty of which I'd argue is equally questionable. Perhaps it is time to set some precedent for what is and isn't acceptable on that front. But I don't think port scanning as a whole should be the focal point here.
(Score: 0) by Anonymous Coward on Wednesday May 27 2020, @04:12PM (1 child)
Maybe. Intentions matter.
(Score: 2) by PiMuNu on Thursday May 28 2020, @01:26PM
> Intentions matter.
Mens Rea, in the legal jargon...
(Score: 1, Interesting) by Anonymous Coward on Wednesday May 27 2020, @05:52PM
Yes, it does. Much of the justice system has been predicated on the fact that many tasks are intractable at scale, and therefore not regulated. If you introduce scale, you're outside of the original intent of many laws.
(Score: 1, Interesting) by Anonymous Coward on Wednesday May 27 2020, @03:17PM (2 children)
I can see that the web page's code might need to get to a very limited list of ip addresses out on the internet.
What is the use case for going to anything locally except for bad things?
Allowing a web site to run code on my computer is bad enough with good security. Is there an economic reason to have a web browser that prevents all this crazy stuff that web pages do?
(Score: 0) by Anonymous Coward on Wednesday May 27 2020, @06:07PM (1 child)
Um, what??? A web site does NOT need to get a "list of ip addresses out on the internet." That's not how any of this works.
(Score: 0) by Anonymous Coward on Thursday May 28 2020, @12:13AM
Sure, I can make a JS app that goes to a server to get some data.
The data does not have to be on the site that served the JS.
(Score: 0) by Anonymous Coward on Wednesday May 27 2020, @03:23PM (1 child)
I don't need any low-quality Chinese knockoff crap today, so take your port scanners and fuck off.
(Score: 0) by Anonymous Coward on Friday May 29 2020, @07:28AM
You can filter all that crap out by filtering for used items. You can't do that on Amazon.
(Score: 0) by Anonymous Coward on Wednesday May 27 2020, @03:34PM (6 children)
Sure, detecting open ports isn't a complete fraud solution, but it is a data point and it can go into a sort of overall fraud danger score. It's not that different from how game anti-cheat tries to determine if you are doing something bad, except it's less intrusive.
The trouble is that obfuscating the Javascript sure makes them look guilty. It isn't going to be hard for malware to disable the whole scan without caring how it works, meanwhile all it does is slow down the white hats.
(Score: 0) by Anonymous Coward on Wednesday May 27 2020, @03:48PM (1 child)
Why? Almost every modern website uses obfuscated javascript (usually called "minified").
(Score: 3, Insightful) by Anonymous Coward on Wednesday May 27 2020, @04:39PM
Minified and obfuscated are very different. In this case the intent is clearly to confound inspection of the code. Minified Javascript doesn't change on every page load.
(Score: 0) by Anonymous Coward on Wednesday May 27 2020, @06:11PM (3 children)
will you still think this is fine when all commerce is totally dominated by the big online retailers, they all scan all your local ports, and every government that claims jurisdiction over you (city, county, state, fed, UN trade zone, UN proper) and their jack booted enforcers have transparent access to all that data from all sites? the idea of some company scanning your local ports should be ridiculous to anyone with any self respect left.
(Score: 0) by Anonymous Coward on Wednesday May 27 2020, @06:45PM (2 children)
Port scanning is just not that big of a deal. It's like having the Street View car drive past your house. Now everyone knows I have aluminum siding! Oh no!
(Score: 0) by Anonymous Coward on Wednesday May 27 2020, @07:45PM
It's no business of EBay what material my metaphorical sidings are. I've blocked scripts from [*.]online-metrix.net exactly as every piece of malware will now do, so what then?
(Score: 0) by Anonymous Coward on Thursday May 28 2020, @07:18PM
I'm sure people trying to use VPNs to keep from getting blackbagged for visiting some site, or daring to serve content critical to the state/big industry, would love it if the scenario above was realized. Can you not think about other people or into your offspring's future at all?
(Score: 5, Insightful) by Bot on Wednesday May 27 2020, @03:45PM (4 children)
is the result of a simple addition.
Javascript, what could go wrong + websockets, what could go wrong
So, I guess javascript should run in the browser's sandbox in a properly insulated VM. I guess I must give direct access to the 3d card for youtube video and I guess it is a security hole. Fucking 2020s.
Account abandoned.
(Score: 4, Interesting) by cykros on Wednesday May 27 2020, @03:56PM (3 children)
It's getting to the point where I'm lamenting gopher's death. Sure, http(s) does a lot of things better, and if we HAVE to pick only one, we probably made the right choice. Perhaps, however, it'd be better to have a toolbox than just try to use the hammer for everything.
Why should I open up my system to run websockets, javascript, html5, and all manner of other crap just to read static content on a page?
(Score: 2, Insightful) by khallow on Wednesday May 27 2020, @09:07PM (2 children)
(Score: 0) by Anonymous Coward on Thursday May 28 2020, @12:48AM (1 child)
It didn't make internet cheaper. It didn't make internet faster, and now we deal with plebian 'what harm can it do' bullshit like this, pushed by corporate 'the plebs will let us get away with whatever we want' bullshit.
Whether it's computers, the internet, videogames, music, or movies, the mouthbreathing masses have ruined it for those with any sense of privacy, security, or mental competence.
(Score: 0) by Anonymous Coward on Thursday May 28 2020, @01:22AM
Can you run a server and connect to other servers? If so, the internet is not ruined. You just have to find your niche.
(Score: 3, Interesting) by Bot on Wednesday May 27 2020, @03:49PM
-ebay
-wat
-u insecure
-well possibly
-use our services we secure stuff
-well depends on the price
-awful price good kickbacks
-im in
-just add this js
-what does it do
-increases security and might let us gather data which as contract we can collect and sell to trusted third parties
-no prob, we can always blame you if something goes wrong
-deal
Account abandoned.
(Score: 3, Interesting) by Anonymous Coward on Wednesday May 27 2020, @04:23PM (1 child)
Does anybody else remember the Gator Advertising Network? Everybody called it spyware. Basically what it did is spied on your browsing habits to deliver targeted advertising to you. Zoom forward a decade later and that's now the 'modern business model.'
LexisNexis is an interesting find. Assuming it's valid, that is really creepy but not especially surprising. Here [wikileaks.org] is a link to a Wikileaks search for LexisNexis. There are 770 hits. LexisNexis is an information broker that gathers public and private information on individuals/organizations/journalists/media/etc and then sells it to whoever can pay. DC types use it for among normal uses such as legal research/etc but also for things such as vetting people, digging up dirt on targets, and so on. That they may connected to widespread port probing is, again, just creepy. But I'm sure 10 years from now it'll just be another standard business practice.
(Score: 3, Interesting) by Hyperturtle on Thursday May 28 2020, @03:36PM
I do remember that, but in real life am told I am mistaken if I believe that targeted advertising is a privacy invasion--if it means someone has to stop tagging me in their photos or something like that. It turns me into a jerk to point out things they disagreed with before, but that was when they didn't get some free convenience out of it. Do something hideous but cover it up with free stuff, and that makes things much better for a lot of people who don't want to think too hard about it, or even compare to what they were thinking previously about the same stuff.
So uh anyway a good idea for people would be to block "online-metrix.net" on a local DNS server, or within the local hosts file of your computer(s) if you can.
I actually went to go do this on my home network's DNS, and discovered I had blocked it a long time ago because of some other company using it to report back to Lexis Nexis whatever the browsing habits were on some streaming site (I sometimes keep notes of why I add entries to my DNS or access-lists for blocking purposes--this way I have a better chance of unraveling anything I unintentionally broke--but in this case, I didn't record specifically my concern and just that it was a LexisNexis consumer behavior tracker sort of service).
I don't know about you, but their scanning for remote control ports pisses me off. They have no reason to query whether or not I use enterprise features on my home network to make life easier because I like to pretend I know what I am doing-- maybe I am a professional, maybe I am an idiot, but the vibe here is that if I am using professional tools, they'll treat me like a an idiot because only 0wn3d people will fraudluently be remotely controlled--with those ports. (at least with VNC, I altered the default port. RDP via microsoft is a little harder to change as the default settings generally don't allow one to do that and remain compatible between OS versions)
That said, I haven't had any problems whatsoever with ebay despite having blocked that domain. Sometimes pages run a little slow, but that I haven't noticed it hanging on a script.
Incidentally, when I say "blocked" in DNS, it isn't really blocked--I have static entry for the domain that I assign a loopback IP address to, in order to prevent actual queries for such domains and to always provide back the loopback address to anything on my network that does a lookup via DNS. If there is an issue, I bypass the DNS servers if needed and can still get out when dealing with fully qualified domain names like that--routing and IP address control is quite different, as it is often very hard to identify a service within some ISP cloud like amazon--they shift around and often don't even know themselves where their stuff 'lives'. Better to block it by name than do it wrong via number.
By loopback, I mean IPv4 addressing somewhere in the 127.x.x.x range. I assign different numbers per type of service based on my own unprofessional opinion about what something might be doing--plenty of sites out there that do tracking aren't exactly upfront about it, and if it takes more time than i want to research whatever that strange script is trying to call--I'll just add it to DNS and guess what it was doing or trying to do, so that I can sort of categorize it all outside of DNS based on how I set it up within DNS, but it quickly has gotten out of hand... There are lots of bad things out there, and I imagine a lot of my entries have become 'stale'. Still, it has proven to be pretty effective over time.
Since I try to have a sense of humor about it sometimes, I use 127.6.6.6 as the entry for Facebook and its domains [and giphy now, too, ever since they announced the intent to merge giphy into Facebook]. Why 127.6.6.6? Because that guy Mark is a bit of a beast...and they use specific marks to identify us all for their ungodly purposes.
(Score: 0) by Anonymous Coward on Thursday May 28 2020, @09:35PM (1 child)
Details would be nice to help thwart this.
I've always had my browsers "su" to powerless users when launched.
Adding this rule to my firewalls would seem to stop this:
iptables -A OUTPUT -o lo -m owner --uid-owner mybrowser -j DROP
(Score: 0) by Anonymous Coward on Friday May 29 2020, @09:55AM
I changed the judgment to REJECT instead of DROP. The browser hesitates while attempting to connect to localhost.
I noticed this attempt even with -> JavaScript disabled -. The DROP judgment gave me time to see this. The leftmost "0" shows no traffic was transferred. The connection attempt eventually times out. It was reproducible.
tcp 0 1 127.0.0.1:43640 127.0.0.1:443 SYN_SENT 12429/firefox
(Score: 1, Informative) by Anonymous Coward on Friday May 29 2020, @03:57AM
Dooshbaggery is Standard Operating Procedure on the 'tubes. For example, when I go to slashdot.org, the following shows up in my router's log:
May 28 19:15:20 ROTR daemon.warn dnsmasq[2555]: possible DNS-rebind attack detected: login-slashdot-org.uc17.janrain.ws
May 28 19:17:07 ROTR daemon.warn dnsmasq[2555]: possible DNS-rebind attack detected: login-slashdot-org.uc17.janrain.ws
May 28 19:18:39 ROTR daemon.warn dnsmasq[2555]: possible DNS-rebind attack detected: login-slashdot-org.uc17.janrain.ws
May 28 19:20:02 ROTR daemon.warn dnsmasq[2555]: possible DNS-rebind attack detected: login-slashdot-org.uc17.janrain.ws
May 28 19:21:24 ROTR daemon.warn dnsmasq[2555]: possible DNS-rebind attack detected: login-slashdot-org.uc17.janrain.ws
May 28 19:23:52 ROTR daemon.warn dnsmasq[2555]: possible DNS-rebind attack detected: login-slashdot-org.uc17.janrain.ws
May 28 19:25:33 ROTR daemon.warn dnsmasq[2555]: possible DNS-rebind attack detected: login-slashdot-org.uc17.janrain.ws
May 28 19:26:36 ROTR daemon.warn dnsmasq[2555]: possible DNS-rebind attack detected: login-slashdot-org.uc17.janrain.ws
May 28 19:28:38 ROTR daemon.warn dnsmasq[2555]: possible DNS-rebind attack detected: login-slashdot-org.uc17.janrain.ws