Am 20. May, 2022 schwätzte Michael Butash via PLUG-discuss so:

moin moin,

> This is something I posted here a while back, how sites like banks and
> other financials were making scripted local queries to check for open
> "services" or ports as referrals to localhost and ports known to be
> malicious ala some worm or botnet if they should trust you or not.  Quick

Ah, interesting. The main place I've seen it is with discord. I don't
trust those connections aren't malicious. Last night I found it in the
sling authentication process. And by process I mean their web site sucks.

I need to find a way to check which ports they're checking. Maybe start
slow-feeding them 10G of /dev/urandom.

It annoys me that the browser allows connections to localhost from a
non-localhost page.

> way for them to determine what stupid customers of theirs got got already,
> and lower your credit score while at it.  While ok, I get it, trust no one,
> but that's a bit creepy that they're forcing my browser to open sockets to
> local ports to essentially bypass my firewall, port scan my host, while
> connecting to their site, and figure no one mostly will notice.
>
> Far as I know ublock and noscript inherently block most of that (it's
> usually some affiliate credit check firm the bank uses for plausible
> deniability and blame pointing), but I do this by default for the past ~20
> years to notice much.

Yeah, I'm seeing it because I use uMatrix ( from the maker of uBlock
Origin ). I used NoScript for years, but when Firefox moved to the
new add ons model it wasn't ready and I ran into uMatrix, which has a
nicer interface and also covers cookies. Unfortunately uMatrix is now
abandonware.

Recently I saw comment that uBlock Origin has an advanced mode that might
be similar to uMatrix. I need to find that. Default uBlock allows way more
than I want.

> Such is the world we live in.  Shields up!

Absolutely.

ciao,

der.hans

> -mb
>
>
>
> On Fri, May 20, 2022 at 8:27 PM der.hans via PLUG-discuss <
> plug-discuss@lists.phxlinux.org> wrote:
>
>> moin moin,
>>
>> once in a while I run into a site trying to make JavaScript or XHR
>> connections to localhost.
>>
>> What are they doing?
>>
>> Are they setting up backdoor tunnels on localhost?
>>
>> Are they trying to run a daemon out of the browser?
>>
>> Are they trying to escape the sandbox and exfiltrate data?
>>
>> ciao,
>>
>> der.hans
>> --
>> #  https://www.LuftHans.com   https://www.PhxLinux.org
>> #  Eternal vigilance is the price of liberty. -- Thomas Jefferson
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>

-- 
#  https://www.LuftHans.com   https://www.PhxLinux.org
#  Stell dir vor, es ist Krieg und keiner geht hin...