Re: Ebay port scans your pc on every visit.

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/plain)
Delete this message
Reply to this message
Author: der.hans via PLUG-discuss
Date:  
To: Michael Butash
CC: der.hans, Michael Butash via PLUG-discuss
Subject: Re: Ebay port scans your pc on every visit.
Am 25. May, 2020 schwätzte Michael Butash so:

moin moin,

>> Should we be insulted that they don't check for SSH?
>>
>> Ah, "According to Nullsweep, who first reported on the port scans, they do
>> not occur when browsing the site with Linux."
>
> Probably more flattered about ssh - they know they're not getting anything
> out of a linux system anyways.


Could they? I thought there was a problem with JavaScript hitting
localhost a couple years ago and this was blocked.

One of the links in the original article points to a break-down of the
code in question. I'm only about 1/3 of the way through the article, so I
don't yet know how it ends. Spoilers are OK :).

https://blog.nem.ec/2020/05/24/ebay-port-scanning/

As to script blocking below, yeah, other than security-curious people at
conferences, I don't get much buy in. Kidling however is learning to work
with it :).

ciao,

der.hans

> Interesting on the second comment - didn't catch that. Wonder why/how
> windoze allows this, but linux does not? And what about the mac users?
> Now I'm even more curious.
>
> I feel a bit better knowing I'm protected since I don't use windoze for
> anything but visio, but the other billion suckers still using windoze as a
> main rig are screwed as usual.
>
>> I use uMatrix to limit JavaScript. Most sites aren't allowed to run any.
>
> I too use uBlock Origin, mostly for adware lists, but I use NoScript that
> flat disallows sites unless whitelisted. It breaks all sorts of stuff
> until whitelisted, but usually the ones that require me to whitelist more
> than a few domains, I quickly close and forget about. It's pretty scary
> going to big sites like various news outlets just how many domains their
> javascripts are banging your browser with. I've seen upwards of 20-30
> foreign domains all attempting to track/probe you at times - those I close
> quick, blacklist them all, and thank the fact I have script blocking
> enabled.
>
> Trying to get others to use noscript or any sort of whitelist model is
> tough, 99% of the time they don't want the inconvenience and end up turning
> it off. I usually stop taking tech support calls or listening to whining
> after that when they're infected yet again.
>
> -mb
>
>
> On Mon, May 25, 2020 at 6:17 PM der.hans <> wrote:
>
>> Am 24. May, 2020 schwätzte Michael Butash via PLUG-discuss so:
>>
>> moin moin,
>>
>>>
>> https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/
>>>
>>> This was a bit disturbing to read today. Ebay injects a few javascript
>>> connections back to your requesting system, measures a basic socket
>>> connection, telling them if the port is open or not, amounting to
>>> effectively a local host port scan for specified ports, behind a
>> firewall,
>>> from a web page you visited. They are doing this looking for remote
>> admin
>>> applications in fact, rdp, vnc, teamviewer, many others. Hmm.
>>
>> Should we be insulted that they don't check for SSH?
>>
>> Ah, "According to Nullsweep, who first reported on the port scans, they do
>> not occur when browsing the site with Linux."
>>
>> :)
>>
>>> So any public website can query any port from visiting a web page, and
>>> possibly interact with any sort of local or other api on my system?
>>>
>>> I wouldn't think Javascript would be allowed to chain off a host like
>> that,
>>
>> JavaScript can run bitcoin miners on your system. It can also attack and
>> steal the credentials for your bitcoin account and thereby take all your
>> coins. Plus there are the exploits of password browser plugins such as
>> LastPass.
>>
>> I use uMatrix to limit JavaScript. Most sites aren't allowed to run any. I
>> even remove the 1st party allowances for most of my browser instances.
>>
>> That does render some site totally unreadable. I ignore most of those.
>>
>> For some sites, I allow certain JavaScript. For instance, for
>> HumbleBundle I allow JS from HB, but also from Stripe. Sometimes I have to
>> allow google and recaptcha in order to checkout. Sometimes I just don't
>> bother with the bundle as it's not worth the annoyance.
>>
>> For ebay, I have a separate browser instance as the site has lots of
>> JavaScript. I generally just don't use ebay very much. I need to get
>> better at running browsers out of containers and restricting their
>> access. In fact, I might finally be in a position to try out qubes.
>>
>> ciao,
>>
>> der.hans
>>
>>> or at least have protections from certain abuse. I suppose it's valid if
>>> linking to another site, but JS/Browsers allowing local random port use
>>> like this, seems ebay is probably not the only ones to abuse this in
>>> certain ways. I know you can do some interesting things with websockets,
>>> seems chaining via same methods to remote interact would be trivial.
>>>
>>> This is pretty devious actually, I'm both a bit scared for ebay, not to
>>> mention all the other sites I "trust", let alone the ones I don't.
>>> Everyone else that just allows pervasively javascript is just hozed.
>> Which
>>> is standard for everyone since javascript existed.
>>>
>>> I use noscript pervasively, and whitelist only valid sites. Ebay is a
>>> valid site, didn't think I had to protect myself, but how would you
>> protect
>>> against this? Curious also the take from web dev's on this, other than
>>> thanks for the tip. :)
>>>
>>> -mb
>>>
>>
>> --
>> # https://www.LuftHans.com https://www.PhxLinux.org
>> # Boredom is self-inflicted...der.hans
>


--
# https://www.LuftHans.com https://www.PhxLinux.org
# ... make it clear I support "Free Software" and not "Open Source",
# and don't imply I agree that there is such a thing as a
# "Linux operating system". - rms---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss