0

Are there any security risks associated with client-side port scanning? Or, more specifically, a "trusted" site (e.g., banking website) loading javascript trying to connect to various localhost ports?

This looks suspicious to me, but seems to be an emerging (or standard?) practice, as referenced in earlier questions here:

Strange Payment Gateway

Also, some Redditors noticed Facebook and banking sites doing this as well:

https://www.reddit.com/r/AskNetsec/comments/4j0nas/why_is_facebook_checking_my_open_ports/

https://www.reddit.com/r/AskNetsec/comments/6825ki/why_is_my_internet_banking_is_scanning_for_vncrdp/

And even cybersecurity researcher Paul Moore sought to sue over this as well:

https://www.cbronline.com/news/halifax-port-scans

https://www.theregister.co.uk/2018/08/07/halifax_bank_ports_scans/

So, what's really going on? Why are they doing this? Can there be security or privacy risks involved?

This answer suggests they may be doing it for some kind of threat detection or anti-fraud process perhaps, but all of this still seems somewhat fishy to me.

schroeder
  • 123,438
  • 55
  • 284
  • 319
ManRow
  • 401
  • 1
  • 4
  • 10
  • "Is this legal?" depends on the jurisdiction and the scope of what is legal is out of scope here. – schroeder Sep 16 '19 at 09:41
  • Your one question you linked about port scanning is not the same scope of what you are asking. – schroeder Sep 16 '19 at 09:42
  • Can you clarify if you are asking if localhost port scanning by itself poses a security/privacy risk, or if you are asking if scanning might indicate larger risks? Port scanning alone is not a risky thing to do. – schroeder Sep 16 '19 at 09:50
  • @schroeder The latter --- it seems suspicious to me for these sites to be doing such scans in the first place. I'm also noticing a lot of failed "wss://127.0.0.1:" connections in my browser console log when logged into my bank website (citibank) (i.e., having my browser try opening connections to that, directed by some dowloaded javascript from that site), but not sure what the greater purpose may be or even if it such behavior might be indicative of some ulterior malicious intent as well (beyond just scanning, which as you stated is benign and can probably just be ignored) – ManRow Sep 16 '19 at 10:08
  • Then you should edit your question to reflect this. – schroeder Sep 16 '19 at 11:30

1 Answers1

3

Why would a web application try to connect to a port on localhost?

A simple explanation that doesn't involve malicious acting is developmental tasks. Depending on the environment, some developers may install a local, lightweight copy of the backend API on their development machine. This would allow the frontend code to try and connect to localhost and do its things on the developer machine, rather than the production backend.

Why would such a code be in a production app?

It wouldn't be unheard of that someone accidentally pushed code to the wrong branch. I've seen plenty of debug code in production releases. With a big enough codebase and enough developers, someone, somewhere will push some debug code to production, sooner or later.

Are there other explanations?

Yes, certainly. Banks have, depending on the jurisdiction, many obligations they need to fulfill. As you may know, politics is as much about personal image as it is about the actual effect of policies. So some politicians may try to boast that they pushed some regulation that forces banks "to do security stuff", which ends up in regulations like "Banks have to detect if end-users have malware on their computer and warn them".

This sounds good to politicians and other non-tech users, but when these policies then end up in the hands of developers and system administrators, who then have the unfortunate task of implementing these, it quickly turns into a nightmare.

So what do banks usually do in such cases? They buy some software that claims to do exactly that. What does that software do? God knows, but it ticks the checkbox, and that's good enough. What the software actually does isn't important, as long as they can claim it does something. And searching for open ports on the system of the user seems like a good thing to do.

Can this be dangerous for me?

It might have adverse side effects for you. Depending on what the software is set out to do, it may detect legitimate software on your PC as malware and alert the bank that you have malware on your PC. Depending on how the bank is run internally, this might mark you as a "risk user" and give you worse conditions down the line.

Of course, this is very speculative, but it is a risk nonetheless. It also could mess with the software you have on your PC. Simply the act of attempting a new connection could cause your application to react differently, and thus adversely to what you may have intended to do.

Finally, the bank or other website may also detect certain local applications and use this to profile you in different way, such as "Web Developer" or what not. This may be information you consider none of the bank's business.

Is this legal?

I am not a lawyer and I can't answer for the legality of this practice. If you care about your own bank, then I suggest contacting a lawyer in your area. They will certainly be equipped to answer your concerns in regards to your applicable jurisdiction.