Is eBay Port Scanning Your PC? (Probably)

It’s emerged that using the eBay website causes your Windows PC’s ports to be scanned. The personal data collected gets silently sent back to the mothership.

Logging on triggers suspicious JavaScript that locally scans certain ports. There’s no disclosure, no transparency, no consent and, naturally, no justification from eBay—nor from its contractor, LexisNexis ThreatMetrix.

It might even be illegal. In today’s SB Blogwatch, we stop bidding.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: funfunfunfunfun.


[email protected]@K fleaBay Trix

What’s the craic? Lawrence Abrams reports—“eBay port scans visitors’ computers for remote access programs”:

 When visiting [eBay], a script will run that performs a local port scan of your computer. … Many of these ports are related to … tools such as the Windows Remote Desktop, VNC, TeamViewer, Ammyy Admin … Aeroadmin … Anyplace Control … AnyDesk [and Reflection SSH].

This scan is being conducted by a check.js script … on eBay.com that attempts to connect to … 14 different ports. … The script performs these scans using WebSockets to connect to 127.0.0.1, which is the local computer, on the specified port.

As the port scan is only looking for Windows remote access programs, it is most likely being done to check for compromised computers used to make fraudulent eBay purchases. … While the scanned for programs are all legitimate, some of them have been used as … Remote Access Trojans (RATs) … in phishing campaigns.

When we reached out to eBay for statement we were told: “Our customers’ privacy and data remains a top priority. We are committed to creating an experience on our sites and services that is safe, secure, and trustworthy.”

Nice content-free drawer statement; thanks eBay PR. It gives Tim Anderson pause—“Um … is that OK?”:

 Fraud is a big issue for eBay and if the purpose of scanning for remote-access ports is an attempt to detect criminals logged into a user’s computer in order to impersonate them … it could have some value. … The script is running locally so it is not testing for ports exposed to the internet, but rather for what is running on your local network … by JavaScript code that is “re-obfuscated on every page load.”

The source of the script [is] h-ebay.online-metrix.net, which belongs to an organisation called ThreatMetrix Inc., part of LexisNexis Risk Solutions [which] provides “powerful linking technology… to manage risk and find opportunities,” according to its home page, and promises to help companies “walking the tightrope between fraud and friction.” … The company talks about how to “gather ample ‘trust data’ around customers and their linked devices.”

While it is likely eBay is using the practice to detect fraud, there are a number of issues concerning privacy, consent and security … with some claiming that the practice [is] in breach of the UK’s Computer Misuse Act. … The EU’s General Data Protection Regulation (GDPR) … is another relevant piece of legislation, setting out the conditions for when gathering personal data is lawful.

Who raised the alarm? Charlie Belmer asks, “Why is This Website Port Scanning me?”:

 This [doesn’t] sit well with me, so I went about investigating the practice. … It seems many sites are port scanning visitors for dubious reasons.

A Port scan can give a website information about what software you are running. Many ports have a well defined set of services that use them, so a list of open ports gives a pretty good view of running applications. For instance, Steam (a gaming store and platform) is known to run on port 27036, so a scanner seeing that port open could have reasonable confidence that the user also had steam open while visiting the web site.

In the past I have worked on security products that specifically worried about port scanning from employee web browsers. … So I wanted to be able to alert on any port scanning on machines as a potential compromise, and a site scanning localhost might trip those alerts. … I created a new Windows VM and sure enough, I saw the port scan occurring in the browser tools from the eBay home page.

Whether the port scan is used as part of an infection or part of e-commerce or bank “security checks”, it is clearly malicious behavior and may fall on the wrong side of the law. … I encourage you to complain to the institution performing the scans, and install extensions that attempt to block this kind of phenomenon in your browser, generally by preventing these types of scripts from loading in the first place.

Malicious? @JackRhysider takes the next step:

 Dev tools tells me in Edge by just visiting eBay [that] the website is port scanning my laptop, bypassing my firewall, and doing it in/from the browser. It checked 14 ports.

If this had conducted a full port scan on my internal network and reported the results … is that illegal? This is not portscanning the internet, it’s port scanning my computer, which is behind a firewall in my home.

Give the Brave browser a try. It seems to block this by default.

It boils down to fraud detection. … I do think it’s aggressive and rude. I’m not ok with them doing this to me. But does it help grandma? Maybe.

And Dan Nemec fills in the blanks—“eBay … aren’t the only ones”:

 There’s a story going around the internet about Ebay port scanning its visitors without any permission or even indication that it’s happening. … But why are they doing it, and what is Ebay doing with the data it collects?

They are not illegal. There are tons of people across the world port scanning the internet daily, both for legitimate research reasons and to support malicious aims. On the face of it, the claim is absurd.

I was able to trace the code that launched the connection to 127.0.0.1 back to a service worker executing a Blob URL … a special URL linking to an arbitrary file generated by Javascript. … I don’t know if this was the intention … but it certainly added frustration to the debugging process because it meant each scan origin came from a … URL that was randomly generated and different each time.

[And] all of this Javascript is re-obfuscated on every page load. … Again, none of this is illegal, but it still makes me feel a bit suspicious to know companies are going to such lengths to hide tracking and scanning data from its customers.

Ebay collects data on whether certain ports are open on your local PC, this data is shipped to an Ebay domain, but does not seem to be used otherwise. … If Ebay isn’t using it to decide whether you should be allowed to log in right there, what is it doing with the data?

It’s not just Ebay scanning your ports, there is allegedly a network of 30,000 websites out there all working for the common aim of harvesting open ports, collecting IP addresses, and User Agents in an attempt to track users all across the web. And this isn’t some rogue team within Ebay setting out to skirt the law, you can bet that LexisNexis lawyers have thoroughly covered their bases when extending this service to their customers (at least in the U.S.)

Really though? Is this really something to worry about? Anubis IV offers a colorful metaphor:

 So, assuming you actually invited a salesman into your home, you’d be fine with him sneaking off to check whether the doors and windows are locked, then reporting the state of each one back to his business? Of course not!

I find it unacceptable. … It’s good that eBay wants to ensure that their customers are not being defrauded, and it’s good that they decided to take steps to protect their customers, but the method they selected relies on exfiltrating information that they have no business knowing … and they’re doing so in a surreptitious manner without informed consent.

The correct way to address the issue isn’t to “check whether all the doors and windows are locked.” It’s to simply have the user re-authenticate before purchase, just as numerous other stores already do.

So what is this ThreatMetrix thing? A friend of an Anonymous Coward used it:

 They build a complete history of email addresses, phone numbers, etc. entered on their customers sites, their JS also creates a machine fingerprint. IIRC there’re some 400+ data data points used to score the client.

TM can tell you when the email address was first seen by one of their customers, if it’s a catch-all, or disposable, etc. The number of account registrations on customer sites in the last x days, etc., etc. From that they build a credibility score based on the weighting you give to any of the parameters.

If you shop online, there’s a high probability you’re already in their system along with who knows what PII.

But what can you do? cfbcfbcfb takes the M.A.D. option:

 I don’t remember giving eBay permission to scan my computer for its configuration. Nor do I remember giving sites reason to evaluate my system for ad blockers, or the position of my mouse so they can pop something up when I go to close the page.

Those sites lose their JavaScript privileges. If they don’t work like that, I find another.

Meanwhile, sad_ isn’t sad it won’t work on Linux:

 You sure have to deal with a lot of nonsense if you decide to use Windows.

And Finally:

A glorious return to form for Pogo (with his bouncy friend, SimmerTunes)

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image sauce: Kazuhisa Otsubo (cc:by)

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 421 posts and counting.See all posts by richi