Cari nexiani,
un amico molto tecnico mi segnala questo articolo molto tecnico, che in
buona sostanza rivela come Ebay e molti altri clienti di LexisNexis
utilizzino *anche* la tecnica del port scanning del PC sul quale
funziona il browser (via Javascript) per profilare i visitatori.
Il port scanning è una tecnica che serve per sapere quali porte sono
"aperte" su un host e di conseguenza stabilire quali servizi sono in
funzione sul quell'host.
Siamo sicuri che una tecnica analoga non possa essere usata anche per
**esporre** un'intera rete locale attraverso un reverse tunnell "in
browser" sfruttando questa tecnica:
https://github.com/MDSLab/wstun?!?
(chiedo scusa se ai non addetti ai lavori sembra arabo)
Qualche esperto websocket/Javascript in lista può dirmi se sono
eccessivamente paranoico?
«Ebay is port scanning visitors to their website - and they aren't the only
ones», by Dan Nemec, 24 May 2020
https://blog.nem.ec/2020/05/24/ebay-port-scanning/
--8<---------------cut here---------------start------------->8---
[...] actually discussing a different type of port scanning, one
initiated directly by a website the target loads in their browser. It’s
an ingenius, if not insidious, technique that allows would-be port
scanners to paradrop straight into an internal network and scan it using
Javascript from within the browser context.
As an aside, this is something that a browser extension could block,
however the company behind the port scanning uses techniques to prevent
widespread blocking of their trackers, as we’ll see later.
How Browser Port Scanning Works
While modern browsers allow Javascript to make requests to other domain
names than the one you’re currently visiting (e.g.
www.ebay.com), they
layer on security controls to ensure the target data allows the calling
website to access it. This prevents, for example, a malicious website
from requesting the account details from you bank’s website. However,
even without knowing the contents of the remote site, details about the
connection itself (such as the time it takes to connect or time out) can
be used to infer whether or not a website exists at the given host and
port. A bit of Javascript code can wrap that into a package and allow
any site to scan a user’s internal network, determining which IP
addresses and ports have services running. Further, because many
well-known services are commonly available on the same port (there is a
registration page, but it’s more of a guideline than a hard and fast
rule), it’s possible to also infer some programs that a user may be
running on their network depending on whether the port is open or not.
[...]
In trying to load Ebay locally I found that I couldn’t replicate the
behavior in Linux even after spoofing a Windows User Agent and disabling
all of my extensions. There must be some check hidden in the Javascript,
but as of yet I haven’t found one. After that, I loaded a Windows VM,
installed the latest Edge, fired up
https://www.ebay.com, and I finally
replicated the port scanning behavior. However, I had some trouble
replicating the behavior reliably, and after some trial and error I
found that
https://signin.ebay.com/ was far more reliable for triggering
the port scanning.
[...]
To summarize what we’ve found so far:
* Ebay collects data on whether certain ports are open on your local PC
* This data is shipped to an Ebay domain, but does not seem to be used
* otherwise Additional data like User Agent and IP are also sent
[...] the domain where data is exfiltrated is not a subdomain of
ebay.com - it’s
ebay-us.com. Still, a quick check shows that it’s owned
by somebody at Ebay, so at the very least it isn’t phishing malware.
Twitter user Armchair IR pointed out that similar behavior has been seen
by Facebook and it traced to a company called ThreatMetrix, an identity
tracking/anti-fraud company. Checking the DNS records for
src.ebay-us.com, sure enough it’s a CNAME to
h-ebay.online-metrix.net, a
domain owned by ThreatMetrix Inc.
[...] It’s not just Ebay scanning your ports, there is allegedly a
network of 30,000 websites out there all working for the common aim of
harvesting open ports, collecting IP addresses, and User Agents in an
attempt to track users all across the web. And this isn’t some rogue
team within Ebay setting out to skirt the law, you can bet that
LexisNexis lawyers have thoroughly covered their bases when extending
this service to their customers (at least in the U.S.).
--8<---------------cut here---------------end--------------->8---
Saluti, Giovanni.
--
Giovanni Biscuolo
_______________________________________________
nexa mailing list
nexa@server-nexa.polito.it
https://server-nexa.polito.it/cgi-bin/mailman/listinfo/nexa