This is not okay
There is no explicit request to allow this request, so the domain has now been completely blocked at all levels
Router
Firewall
Devices
Not that I use eBay much nowadays
Users visiting eBay have spotted that the website runs port scans against their computer, using the localhost address to inspect what may be running on your machine. Fraud is a big issue for eBay, and if the purpose of scanning for remote-control access ports is an attempt to detect criminals logged into a user's computer in …
Absolutely. You want to scan my computer ? You pop up the question and ask me, along with a description of what you are looking for, where you're looking for it and why you think you have the cheek to ask me.
If you do security checks on your side of the intertubes, that's your business and nothing I have the right to wail about, but on my side, you will only do what I bloody well allow you to.
> The problem is not that eBay uses this, the problem is that javascript allows it.
And because of these issues with Javascript, I've turned to uMatrix (https://github.com/gorhill/uMatrix) to control them all. JS can come into the browser, but does not always leave (depends on MY rules). Can recommend (for most Chrome based browsers and Firefox).
I recall they had .dll in their URLs, but users weren't downloading DLLs to run. Any file extension in a URL is not necessarily tied to any particular file type, server-side. You can configure any web-server to run .dll extensions through php, perl, whatever, or even dispatch an entire domain to a single executable.
Any file extension in a URL is not necessarily tied to any particular file type, server-side.
Any file extension anywhere is not necessarily tied to a particular file type. A file extension is nothing more than a part of the name of a file, and some systems (looking at you Windows) make assumptions about a file based on a file extension.
They build a complete history of email addresses, phone numbers, etc. entered on their customers sites, their JS also creates a machine fingerprint. IIRC there're some 400+ data data points used to score the client. TM can tell you when the email address was first seen by one of their customers, if it's a catch-all, or disposable, etc. The number of account registrations on customer sites in the last x days, etc, etc. From that they build a credibility score based on the weighting you give to any of the parameters. I remember him saying that his firm refused to send a lot of the available/requested data items on privacy grounds.
If you shop online, there's a high probability you're already in their system along with who knows what PII
A couple of years ago I had a demo with LexisNexis for some of their fraud prevention products. I was stunned at the amount of data they had pulled from all kinds of public and private sources of information that they had compiled into their identity databases. Not just the kind of data you'd assume they would have on web browsing/shopping behaviour/location etc, but all sorts of stuff, work history, education history, spouse details, commute time, where kids attended school, there was the things they knew about with high confidence and things they inferred from the entire data set. It was scary. They had 100s of millions of profiles of people in the US. People have some awareness of the Facebooks and Googles of the world but they have little idea of the data these companies that largely fly under the radar have on them.
"[People] have little idea of the data these companies that largely fly under the radar have on them."
That would be an article worth reading, what about it, vultures?
NoScript (etc) turn up just such a terrifying number of these phishy smelling domains on pretty much every online sales site nowadays, and you just know that they're up to no good because many of them use short cryptic domain names that bear no resemblence to their actual company name, almost as if they themselves know that they have something shameful to hide.
If I have no incoming ports open on my firewall (and surely that's the default for most people on a normal NAT router) then what can they do? I'm not saying I approve of eBay trying to do anything on my computers, but surely most people these days (whether malicious or not) will be behind a standard NATting router in it's default state. So I don't see what eBay are gaining from this.
Or am I completely misunderstanding what they are doing?
---> nearest we have to a "?" icon.
The Javascript that's doing the scan is running locally so your router's ports aren't involved outside those used to deliver the web page.
I'm sure the array of add-ons I have in Firefox would block the attempt, but as they also block the login page, I'm forced to use Chrome for ebay.
I'm sure the array of add-ons I have in Firefox would block the attempt, but as they also block the login page, I'm forced to use Chrome for ebay.
or you could choose to use Linux.
From Developer Dan Nemec post: "I couldn’t replicate the behavior in Linux even after spoofing a Windows User Agent and disabling all of my extensions."
"Maybe they're blindly using an obfuscation tool they don't really understand."
Probably. There is a lot of cargo-cult programming out in the Corporate World. Probably because they are firing old programmers and hiring wet-behind-the-ears new graduates with absolutely zero street smarts.
Hello:
... obvious that the company is in the business of gathering data ...
Indeed ...
What they use the data they gather is anyone's guess* but you can be certain that it is not just a fraud prevention exercise.
And if we take into account that what they are doing is very shady if not downright illegal ...
O.
* not really, it's either up for sale or payment on behalf of eBay for the "service" rendered.
And what do you think Ebay's response to you actively scanning their servers, perhaps behind their firewalls via exploits, "to protect against fraud" would be? After all, just because it says ebay.com in the browser doesn't mean their site is secure or that you are on the legitimate ebay.com.
I suspect the response would be in terse legalese threatening hacking charges and prison. It's the active penetration / behind firewalls part of what Ebay is doing that probably makes it illegal, but IANAL.
Probably because they got so good at making sure users can be defrauded. I stopped using eBay many years ago when the steps you needed to take to prevent AFF criminals outweighed the value of the goods you were selling.
Once memorably got a $500 transaction on eBay cancelled and refunded when the seller assured my wife that the bag she had bought was "genuene aligator [sic]" I informed eBay that if they did not cancel and refund that I would have them charged under CITES.
There used to be a cables/connectors business somewhere near Liverpool (I think it was). They had a good sideline in specialist meats. I.e., Alligator, ostrich, lots more. Even Japanese sake. All really good stuff.
And they were probably the best ever company for cataloguing and sourcing specialist cables and connectors.
"Absolutely - I always recommend that people should brick up all the windows in their homes to stop burglars getting in."
You've pretty much described a castle, which is a highly secure dwelling designed to resist external attack and minimise attack surface. If you are at very high risk from such an attack, it's a perfectly reasonable solution. The same reason why many shops have shutters, and some houses have grilles on the windows. The corollary with a web browser is obvious. Determine your perceived level of risk/threat, and take proportionate action. Now, where did I put that boiling oil extension...?
"You've pretty much described a castle, [...]"
The small postern gate was used to save opening the main access barriers - like a back door. It was a weak link - subject to subterfuge, imposters, or corruption. An alternative was to use the water/drains tunnel***.
***eg "Small Gods" by Sir Pterry (the "p" is silent as in "Psnow")
the reply bots they employ didn't read your questions and / or didn't understand them and / or don't give a flying monkey fuck because they're not paid to provide any meaningful answers, so they chose a random reply No 36366 thank you & good bye.
Or, should I read they did provide a meaningful answer to a (presumably) clear question, only that I'm too simple to see the true meaning in their reply?
Presumably a lot of eBay fraud is fraudsters buying an 'eBay fraud kit' on the dark web which provides handy features for defrauding buyers and or sellers. So I fully expect that an updated version of that kit was released about 5 minutes after eBay first started doing these scans.
As always, it's us that suffers - the fraudsters won't be impacted in the slightest, except a one-off upgrade payment for the updated fraud kit.
I don't run Windows except when a special application is needed for both TRUST and speed issues. uBlock Origin on Linux makes me feel a bit better. However, lack of transparency does not lend me to volunteer any info to eBay. I would ditch eBay but parts can be hard to come by through other channels without paying too much for both shipping and the part here in Hawaii. Keeping old kit running keeps me a customer unfortunately.
This post has been deleted by its author
The proper way to do this is to have a click through notification! Also why would any web browser allow this without asking for permission first?
I switched operating systems and stop using corporate owned social media, I can definitely walk away from eBay without looking back.
First off, from a practical standpoint, I have no problem with EBay trying to detect fraudulent software running on people's machines. This will prevent both the user and EBay from fraud caused by people running greasy greasy unpatched infected-all-to-hell Windows; some people seem to think they can run as infected a system as they want and it should be (EBay, bank, etc.) responsibility when their account is "mysteriously" abused.
That said... GDPR? That's tricky, GDPR honestly makes a lot of normal computer activities a legal grey area. The computer fraud and abuse part.. can't speak about Britain but in US it's very clear, trying usernames and passwords, or buffer overflow, etc., if it succeeds it's gaining access to areas you are not already authorized to access and is a legal problem. Running a port scan is not exceeding anything; the system is willingly answering or refusing connections on each port, and the port scan is not trying to bypass anything on ports that are answered, it's merely closing the connection. This is clearly legal here.
"I have no problem with EBay trying to detect fraudulent software running on people's machines."
In my mind, EBay trying to run a port scanner from inside my firewall without so much as a by-your-leave is just as bad as any other skiddie trying to run code on my machine without asking.
Quite simply, it is NOT benign ... and it's entirely too far over the wrong side of the slippery slope. They should stop the practice immediately and issue a public apology with promises to not do anything of the sort ever again. And even then, I doubt I'd trust them. Once a corporation crosses the line, they always cross it again as soon as they think they can get away with it.
That said... GDPR? That's tricky, GDPR honestly makes a lot of normal computer activities a legal grey area.
Honestly, no it doesn't.
You can do anything legal that you have specific informed consent to do. Doing a port scan is legal, assuming that you have informed consent from somebody to do it, so if you had a website that offers a port scan (eg. shields up run by Steve Gibson which has been running for something like 30 years) then if somebody chooses to visit it and run a port scan then that is entirely legal.
It'd only cease to be legal if he then did something like sell the data that he collected without the end user having specifically consented to that.
The issue comes when somebody then takes the same technology and runs it on somebody who has not specifically been informed and who has not consented. You can't just put a line in page 9000 of your terms and conditions saying that by visiting the site they have accepted this.
So the issue comes down to "did eBay have specific informed consent to run a port scan". As nobody knew they were doing it then by definition they didn't have informed consent to do so. As it wasn't authorised they are breaking the law.
It's not difficult.
What happens if ebay do detect that your PC has the RDP port or VNC port open will they warn you or stop you using ebay?
Some people might legitimately have these ports open, say someone on ebay from an office PC where their IT support requires these to be able to remote admin their machines.
I used Ublock on firefox which will hopefully block this behaviour, as without it ebay is full of ads like some tabloid newspapers website.
Mark I 2 asked: "What happens if ebay do detect that your PC has the RDP port or VNC port open will they warn you or stop you using ebay?"
Probably not. It'll likely be used, along with other information, to assign a probability of fraud to the actions you're talking.
You might notice, e.g. a little more hoop jumping when you change passwords or enter a delivery address that's not been previously associated with you.
It'll likely be used, along with other information, to assign a probability of fraud to the actions you're talking.
That is how threatmetrix works, yes. They calculate probabilities, and pass that on to their client (ebay in this case) as a threat rating, and it is up to the client to decide what to do with the threat rating. So, for example (random non-specific), usually you don't get prompted for 2-factor authentication when making a purchase on checkout. But for this transaction, for some reason they require 2-factor. It's likely something like threatmetrix (or similar service) has told ebay that this transaction has a higher threat rating than usual, but not so high as to just block it entirely.
They mention scanning messages sent via their system and "cookies and other technologies" (view-source:https://www.ebay.ca/help/policies/member-behaviour-policies/user-privacy-notice-privacy-policy?id=4260 and view-source:https://www.ebay.ca/help/policies/member-behaviour-policies/user-agreement?id=4259) but squat about port-scanning.
I had read a very informative research paper about advanced fingerprinting techniques that uses Flash, HTML5 canvas, WebGL, WebRTC, Silverlight and font fingerprinting.
This script is using many of those techniques.
When I'm bored I scan the internet looking for hex-obfuscated code in websites and almost always the beautified and deobfuscated scripts show they are used for nefarious purposes.
Credit-card skimmers, advanced fingerprinting scripts to weed out only intended targets to be served up malware, parking domains that use API keys to bypass adblockers to serve up rootkits from fake browser or flash updates, chained exploits to target minority groups etc.
(And website owners wonder why more and more people are using ad/script blockers.)
"And website owners wonder why more and more people are using ad/script blockers"
Still with all the threats listed the first reason I use a script blocker is so the marketing wankers and arsehole coders who make their software don't feed me ad's or track my activity so i can be turned into a product to sell, security only comes in second, lol my bank is pretty much empty anyway good luck to em :P
And the other reason for ad blockers / script blockers is... to be able to use the web.
Last night partner burbled about slow computer. Had to reboot the Win7 to get control. On restart and bringing Chrome back up, a cooking recipe site pegged out the CPU and was using >>1 GB within one minute of bringing up a particular page.
With some sites there is no difference between maliciousness and cluelessness. Have to disable scripts on those sites to evade both.
1) How the hell is javascript allowed to make any connections other than to the address ih the pages URL, without prompting?
2) If Ebay claim this is perfectly legit, and is to check if *innocent* computers have been compromised, why all the obfuscation?
3) How the hell can they justify sending a report of my internal network to themselves, or anyone?
... and the stuff others have mentioned.
Just thinking out loud here....
I don't run windows, but it's a general javascript hole. I'm unable to disable javascript a lot of the time, so .. what's a good generic way of stopping this?
I guess on android, firewalling all "app" users from the local network, and localhost (maybe open port 53, but I think ns lookups go through the android framework, so may not be necessary..)
On freebsd, run all browsers under a seperate network stack (fib) and firewall similarly.....
This still doesn't seem like enough though...
Run a pihole for your local DNS server, pull down a few good big domain blacklists (mine has ~1M records), make sure whatever domains this script is coming from are in that list.
My pihole blocks ~20% of all requests from my home network, with no obvious loss of functionality for wife & kids in most cases (had to whitelist some Kindle Fire stuff).
Ah ok, I get you. No problem.
I'm still shocked (and also, shocked that I didn't know) that a javascript could initiate a connection to any ip and port it likes.... That's damn rediculous (even if it can only communicate http, it's still yet another fingerprinting mechanism..)
Lots of web pages pull information from sites other than the one that served up the web page. A good example is the javascript libraries themselves are often served up by Content Delivery Networks.
Another trivial example is any website that includes a weather report is probably pulling that data in from an api on a weather site. While they *could* do this at the server, they save themselves a lot of CPU and network bandwidth by getting the browser to do that work.
A big trend in web pages is the single page application. The web page itself only loads once, and everything else is done in Javascript and websocket calls. Turning off Javascript will completely kill this kind of webpage.
it's likely a violation of California Penal Code 502(c), the California Consumer Privacy Act, and the federal Computer Fraud and Abuse Act. (eBay is located here in California.)
Unless and until eBay stops such abusive behavior, I won't use eBay, and will advise others to do the same.
Hmmm... maybe ebay is being fooled here. This marketing company is probably telling them one thing and doing another.
Like telling ebay that their Java back end needs scripts to run so their visitors need a Java Script as well.
We should be able to curtail our javascript capabilities at our own choice. Like yes for layout rendering, but no for a list of all installed fonts. Have a list of what you allow javascript to do and what not.
Hmmm... maybe ebay is being fooled here.
Hmmm ...
And what did Santa bring you last Christmas?
And did the Tooth Fairy leave you more money this time around?
So much quarantine time finally got to you.
Maybe if you get some fresh air? ;^D
O.
Part of the use will be so that fewer security steps are needed for customers, say, entering a new delivery address.
Eg Bob enters a delivery address the security company doesn't already associate with Bob. It looks like Bob's computer but has a previously closed port, often used by hacked machines, now open.
Bob gets the hard Captchas and a text message with a code in.
The difference isn't that harder security can be given to dodgy looking customers, but that easier security steps can be given to honest-looking customers doing honest-looking things.
If you get an answer that starts with "committed to creating an experience", you know that:
A) it's written by an marketing droid, not a technical person
B) it's going to be useless.
B) They are fucking you over, twice.
C) You're not even getting a kiss. 8^7
B) They are going in dry from behind.
C) You're not even getting the courtesy of a reach around.
" ... committed to creating an experience on our sites and services that is safe, secure and trustworthy,"
If I read that piece of PR bollocks one more time, i am going to strangle the nearest oxygen consuming life form. Fuck I am tired of that sort of non-answer double-speak. That we we don't all say, "fuck off cockhead and answer the friggin' question" every time we hear thus crap is an mistake on our part and only encourages them.
Yeah I feel your pain.... The spin some of these vapid scum suckers come up with.. It's like vomiting in your mouth and then swallowing it...
We respect your privacy and your security is our number 1 concern.... That's why we track you, profile you and then sell it on to all manner of bottom feeders.. Cause we really care
The percentage of fraud that comes from people being manipulated through TeamViewer is very high. This checks to see if this is happening.
Along with a whole load of other factors this can be used to detect potential fraud.
ThreatMetrix doesn't hold any PII as every input is hashed and all all the algorithms work on the hashes, not the actual data.
They can even connect fraud occurring by linking data inputs from their different customers. e.g. see a whole load of email accounts being created then suddenly used to apply for financial products or ebay accounts, say. So even though ebay gets a fraud score for their individual users based on the rankings of the various inputs, TM can spot and alert about a bigger fraud case playing out by criminals.
tl;dr nothing to see here.
Anon as former LN employee.
So if you stumble on to one of my websites, I can justify scanning your internal network by saying that I'm doing it for your own security?
It's OK for me to pop into your bathroom when you're in the shower to remind you that the door wasn't locked?
I can look under the hood of your car just to check if it's safe to drive?
Pretty sure it's illegal along with so many other things....like the number of sellers on there that have absolutely no intention of fulfilling you order, they just sell your personal data to Amazon for a %! I'm boycotting Amazon! No way to stop it :-(
I've had to change PCs, account details, physical address and use a different bank card...because my account was targeted and black listed. So many sites out there telling you the problems with them/ horror stories now......I lost my house because of it so had to move anyway.
But I think a large part of the problem is this perverted capitalism we now have. They did away with the Monopolies and Mergers commission 20 odd years ago.....this allowed the most successful of these auction sites simply to buy up and close down the competition. So many good businesses have ended up pretty much solely dependent on ebay and have been forced to close/ go out of business simply because of ebay's shoddy business practices. Some of the time i'm sure it's simply the competition claiming they're selling stolen goods and with no evidence whatsoever ebay shuts them down....
I've known people who have bought a second hand PC and had their account closed/ blacklisted because ebay scanned the CPU ID and decided they didn't like that person. Same with blacklisted physical addresses.....people do move you know, it's not the same person!
You can configure Firefox to block access to localhost using a Proxy Auto-Conf (PAC) file. It wouldn't work with Chromium because it shares proxy-configuration with the host operating system.But it will keep random websites from connecting to or port-scanning services on localhost if you use Firefox! Details here: https://www.ctrl.blog/entry/block-localhost-port-scans.html