Forbes posted a interesting reveal regarding eBay performing scanning to your system when you visit their website. Their intent seems to be in good spirit since they are attempting to identify fraud however, its not nice of them to do it without telling everybody. The original post can be found HERE.
I have been a generally quite happy user of eBay, the world’s most famous online auction site, for nearly 20 years. Happy that is until I found out it was probing my computer when I opened the site in my web browser. Let me just repeat that: probing my computer.
Originally picked up by Charlie Belmer, who works on privacy and security for the privacy-focused DuckDuckGo search engine, and published on his personal blog, the probing behavior was seen to occur with web browsers running on Windows, but not Linux.
What Is A Port Scanner?
Put simply; a port scanner is an application that probes a server or other host for, unsurprisingly, open ports. Every port has a number assigned to it, and those individual port numbers are associated with specific functions or tasks. The port scanner can be used to determine what applications and services are listening on a network, on the internet. Port scanners are used by penetration testers to find weaknesses that can be exploited. They are used by cybercriminals and hackers for the same reason. They are also employed by some malware or fraud detection solutions to look for signs that a computer might be compromised and being used for nefarious purposes. Signs like ports that facilitate remote access tools under Windows are open, for example.
What ports are being probed by eBay?
Bleeping Computer has put together a table showing the total of fourteen ports that are being probed by eBay. Apart from one unknown program on port 63333, the remaining 13 are all remote access tools such as VNC and TeamViewer, for example.
I verified this for myself with both Google Chrome and Mozilla Firefox browsers running on a Windows 10 machine and can confirm that the scanning took place. You can check yourself by hitting F12 in your web browser, clicking on the “network” tab, and then connecting to the eBay site. Those connections to 127.0.0.1, the localhost, or your computer, if you prefer, are the ones being scanned.
For a technical deep dive into port scanning and eBay, you can refer to this excellent, if not really for the average user, report.
What does eBay have to say about this?
I reached out to eBay to ask why these scans are being made, what the data is used for, and whether user consent should be sought before performing such probes on user computers. An eBay spokesperson issued the following statement:
“Our customers’ privacy and data remain a top priority. We are committed to creating an experience on our sites and services that is safe, secure, and trustworthy.”
I understand that eBay has investigated the concern regarding this port scanning activity, which is, indeed, a technology used as part of a fraud protection program used by the company. That particular fraud protection technology being something called ThreatMetrix, used to identify potentially compromised systems and fraudulent activities.
I also contacted LexisNexis Risk Solutions, which provides the ThreatMetrix product, but no comment had been received by the time of publication. I will update this article when a statement has been submitted.
If this is to protect against fraud, what’s the problem?
As someone who has been involved in the online security industry in one way or another for the best part of thirty years, shouldn’t I be applauding eBay for taking security seriously? And there sits the conundrum: yes, I do welcome proactive security measures, but I also like to be extended the courtesy of being asked for consent before my computer is probed in any way. Indeed, ask for this consent, and the chances are pretty high I’d would say yep, no problem. However, even if something were buried in the eBay terms and conditions regarding this, it appears to be of little consequence. Why so? Well, it seems security researchers have determined that this behavior isn’t just for authenticated, logged-in users: the scans are performed for visitors who are not logged-in and even if using the private browsing or incognito mode of the web browser.
What do security researchers say about this port-scanning activity?
Jake Moore, a cybersecurity specialist at ESET, says that it never sits well with him when companies do things in the background without overt warnings. “Although they are trying to cut down on fraud,” Moore told me, “companies like eBay thrive on trust, so when this gets abused, the general consensus could sway the other way and start to look at the competition.” Moore agrees with me that any site that’s connected to our finances is expected to offer the best protection against fraud as is possible. So port scanning appears to be a good practice fraud detection mechanism. “But when websites start scanning ports without prior warning,” Moore concludes, “it can feel intrusive.”
Security expert John Opdenakker agrees. “I don’t expect a website to start scanning on my local computer,” he says, “and sharing my data with third parties without consent.” That third-party would, in this case, be LexisNexis Risk Solutions via the ThreatMetrix product. “Implementing this kind of behavior by default,” Opdenakker says, “without users being clearly informed and having a choice to opt-out to me seems like a serious infringement of privacy regulations.”
Paul Moore, an information security consultant, has seen this kind of port scanning before involving banks probing customer computers whether they are logged in or not. “I fail to understand why firms believe it’s legal and reasonable to perform unauthorized scans of our equipment,” Moore says. Moore told me he understands the need and appreciates the security benefits it may offer both parties, with no malice involved. However, Moore also says this “doesn’t negate the fact that at the point where a scan is carried out, they haven’t been given explicit permission.” Something that Moore asked me to point out would not play well in reverse, if a user performed such a port scan on a bank, or eBay, every time they wanted to access it then the chances are good they would find themselves in trouble with law enforcement. In the U.K., at least, Moore says, “a bank can notify the police of a port scan/breach and have someone arrested in a very short period.”
That opinion does seem to divide opinion within the security community online, and one must assume that questions of legality across operating regions would have been explored in some depth by the eBay legal team before signing off on this.
Ian Thornton-Trump, CISO at Cyjax, says that “figuring out ways to ensure the integrity of the machine over the wire when it’s accessing your own service has always been a struggle and will continue well into the future.” Thornton-Trump told me that he didn’t think active scanning is really useful and short of a packet capture of the entire client-side communication, “you really can’t judge a client by the open ports or client-side responses very accurately.”
How can you prevent eBay from running a port scan of your computer?
There are a number of ways that you can prevent this kind of port scanning of your computer if you are a Windows user. You could try switching to the Brave web browser for connecting to eBay which apparently blocks the port scanning according to users who have tweeted about this. Alternatively, installing the uBlock Origin and NoScript extensions for Chrome and Firefox will also prevent this behavior.
Another way to block port scanning and all Lexis Nexis scripts is to install Port Authority add-on for Firefox. https://addons.mozilla.org/en-US/firefox/addon/port-authority/