Cari nexiani, un amico molto tecnico mi segnala questo articolo molto tecnico, che in buona sostanza rivela come Ebay e molti altri clienti di LexisNexis utilizzino *anche* la tecnica del port scanning del PC sul quale funziona il browser (via Javascript) per profilare i visitatori. Il port scanning è una tecnica che serve per sapere quali porte sono "aperte" su un host e di conseguenza stabilire quali servizi sono in funzione sul quell'host. Siamo sicuri che una tecnica analoga non possa essere usata anche per **esporre** un'intera rete locale attraverso un reverse tunnell "in browser" sfruttando questa tecnica: https://github.com/MDSLab/wstun?!? (chiedo scusa se ai non addetti ai lavori sembra arabo) Qualche esperto websocket/Javascript in lista può dirmi se sono eccessivamente paranoico? «Ebay is port scanning visitors to their website - and they aren't the only ones», by Dan Nemec, 24 May 2020 https://blog.nem.ec/2020/05/24/ebay-port-scanning/ --8<---------------cut here---------------start------------->8--- [...] actually discussing a different type of port scanning, one initiated directly by a website the target loads in their browser. It’s an ingenius, if not insidious, technique that allows would-be port scanners to paradrop straight into an internal network and scan it using Javascript from within the browser context. As an aside, this is something that a browser extension could block, however the company behind the port scanning uses techniques to prevent widespread blocking of their trackers, as we’ll see later. How Browser Port Scanning Works While modern browsers allow Javascript to make requests to other domain names than the one you’re currently visiting (e.g. www.ebay.com), they layer on security controls to ensure the target data allows the calling website to access it. This prevents, for example, a malicious website from requesting the account details from you bank’s website. However, even without knowing the contents of the remote site, details about the connection itself (such as the time it takes to connect or time out) can be used to infer whether or not a website exists at the given host and port. A bit of Javascript code can wrap that into a package and allow any site to scan a user’s internal network, determining which IP addresses and ports have services running. Further, because many well-known services are commonly available on the same port (there is a registration page, but it’s more of a guideline than a hard and fast rule), it’s possible to also infer some programs that a user may be running on their network depending on whether the port is open or not. [...] In trying to load Ebay locally I found that I couldn’t replicate the behavior in Linux even after spoofing a Windows User Agent and disabling all of my extensions. There must be some check hidden in the Javascript, but as of yet I haven’t found one. After that, I loaded a Windows VM, installed the latest Edge, fired up https://www.ebay.com, and I finally replicated the port scanning behavior. However, I had some trouble replicating the behavior reliably, and after some trial and error I found that https://signin.ebay.com/ was far more reliable for triggering the port scanning. [...] To summarize what we’ve found so far: * Ebay collects data on whether certain ports are open on your local PC * This data is shipped to an Ebay domain, but does not seem to be used * otherwise Additional data like User Agent and IP are also sent [...] the domain where data is exfiltrated is not a subdomain of ebay.com - it’s ebay-us.com. Still, a quick check shows that it’s owned by somebody at Ebay, so at the very least it isn’t phishing malware. Twitter user Armchair IR pointed out that similar behavior has been seen by Facebook and it traced to a company called ThreatMetrix, an identity tracking/anti-fraud company. Checking the DNS records for src.ebay-us.com, sure enough it’s a CNAME to h-ebay.online-metrix.net, a domain owned by ThreatMetrix Inc. [...] It’s not just Ebay scanning your ports, there is allegedly a network of 30,000 websites out there all working for the common aim of harvesting open ports, collecting IP addresses, and User Agents in an attempt to track users all across the web. And this isn’t some rogue team within Ebay setting out to skirt the law, you can bet that LexisNexis lawyers have thoroughly covered their bases when extending this service to their customers (at least in the U.S.). --8<---------------cut here---------------end--------------->8--- Saluti, Giovanni. -- Giovanni Biscuolo