57

In helping a corporate user log on to eBay, I noticed that when on the login page, a stream of errors were coming up in the Firefox JS Console about not being able to connect to wss://localhost. This is a bit concerning, obviously. Why would a web site need to connect to a web server running locally.

ebay

In looking further, I found that this request comes from check.js at this URL:

https://src.ebay-us.com/fp/check.js?org_id=usllpic0&session_id=586308251720aad9263fb1e7fffd7373

Is this some malicious script injected into eBay or do they have a legitimate reason for doing that? Anybody knows?

Pedro
  • 3,911
  • 11
  • 25
ETL
  • 631
  • 5
  • 8
  • 2
    Also see https://security.stackexchange.com/questions/231966/web-sites-executing-local-port-scans-is-this-coming-from-a-library-can-it-be-b#comment474837_231966 – mti2935 May 28 '20 at 21:43
  • Just as a comment. I tried it myself with Mozilla's tracking protection on (which is my mandatory default) and no scan occurred – usr-local-ΕΨΗΕΛΩΝ May 29 '20 at 08:28
  • Apparently in the spirit of "fighting fraud"? https://www.techradar.com/news/ebay-is-port-scanning-users-pcs – MonkeyZeus May 29 '20 at 16:48
  • 1
    Does this answer your question? [Is there a danger to client port scanning?](https://security.stackexchange.com/questions/218078/is-there-a-danger-to-client-port-scanning) Feel free to disable WebSockets in Firefox by setting `network.websocket.max-connections` to zero – ManRow Nov 11 '20 at 11:05
  • 1
    Does this answer your question? [Web sites executing local port scans: Is this coming from a library? Can it be blocked?](https://security.stackexchange.com/questions/231966/web-sites-executing-local-port-scans-is-this-coming-from-a-library-can-it-be-b) –  Nov 13 '20 at 09:58

3 Answers3

62

This is ebay running a local port scan over websockets. It has been reported recently:

I don't think it's malicious, but it is bad practice, it's sneaky and erodes user trust. They do it before you accept any T&Cs of any kind allowing probing into your own computer.

Similar tactics are used by banks in more or less open ways (it varies).

Pedro
  • 3,911
  • 11
  • 25
  • 4
    It's interesting that they are able to get around same-origin policy, and have the results of the connection attempts to localhost sent back to the origin (ebay.com). I suppose same-origin policy doesn't apply in this case, because they are only making a connection attempt to localhost, and not actually reading any data from localhost. – mti2935 May 28 '20 at 21:52
  • 1
    I suppose (without having investigated further) that websockets operate under a slightly different set of rules to HTTP traffic. And as well browsers will have their own variations of implementation and security controls. – Pedro May 28 '20 at 21:55
  • 10
    You're right. See https://blog.securityevaluators.com/websockets-not-bound-by-cors-does-this-mean-2e7819374acc for an interesting write-up about this. I agree with what you wrote in your answer. It feels like there is something very insidious about this. – mti2935 May 28 '20 at 22:02
  • 1
    Websockets don't have a same-origin policy – Layne Bernardo May 29 '20 at 23:27
  • 1
    It is malicious, inherently. – R.. GitHub STOP HELPING ICE May 31 '20 at 21:46
18

There's been some discussion of this recently, e.g. here and here.

Suggested reasons for port scanning include: a) fingerprinting to uniquely identify your machine for future reference, or b) attempting to determine whether your machine is part of a botnet, since botnets often use VNC services over various standard ports to control their bots.

Joseph Montanaro
  • 510
  • 2
  • 8
  • If I remember right, eBay only runs these port scans if the browser is on Windows, so fingerprinting is likely out... – Fire Quacker May 28 '20 at 15:33
  • 3
    Yes, someone has reported this, it could be because the code isn't as robust as it needs to be or because it's deliberately selective? – Pedro May 28 '20 at 21:56
  • I think this would be useless for fingerprinting (likely, almost all machines would have all ports closed). – the default. May 29 '20 at 12:59
  • @mypronounismonicareinstate No, it's not as likely as you think that most machines would have those ports closed. Ignoring Linux (where VNC is relatively common for it's originally intended purpose of remote management), VNC, RDP, and the various known third-party services they check for are not all that uncommon in office settings. – Austin Hemmelgarn May 29 '20 at 13:34
  • @AustinHemmelgarn most visitors to eBay are unlikely to be from an office setting – Tim May 29 '20 at 19:41
12

A German computer magazine was writing about this observation last week and asked eBay for a statement.

eBay's answer was:

There is some widely spread software that is either Malware or legit software which can be miss-used to steal the eBay password. This software is listening on certain TCP ports.

By trying to establish a connection to these TCP ports, the (JavaScripts of the) eBay web site tries to find out if such software is currently running.

Community
  • 1
Martin Rosenau
  • 339
  • 1
  • 5
  • Do you know which magazine it was? – Clockwork May 29 '20 at 18:00
  • 2
    @Clockwork It was the [online magazine of the publisher "Heise"](https://www.heise.de/news/ebay-begruesst-einige-Nutzer-mit-heimlichem-Portscan-4728010.html) who also publishes the "iX" and "c't" magazines. – Martin Rosenau May 29 '20 at 18:59
  • 3
    @Clockwork Heise has been THE authority publisher on IT in Germany for 30 years – jdog May 29 '20 at 22:29