Starting in version 1.54, [the browser] Brave will automatically block website port scanning, a practice that a surprisingly large number of sites were found engaging in a few years ago. According to this list compiled in 2021 by a researcher who goes by the handle G666g1e, 744 websites scanned visitors’ ports, most or all without providing notice or seeking permission in advance. eBay, Chick-fil-A, Best Buy, Kroger, and Macy’s were among the offending websites.

this raises my antennae way up but i have to admit, although being probed makes my skin crawl, i don’t actually understand what bad actors can do. it seems bad but that could be fud.

more distressing is the wall of shame; if even slightly true, this is hideous. typing just obvious things i know from just one screenful of a 700±line document: state farm, lending tree, citibank, glassdoor, iberia. for some reason financial firms are heavily represented here.

anyone have any knowledge in this domain? and if it’s an actual problem, what’s the best way to put a ring around it? the actor is inside your browser, so the usual firewall tricks don’t apply.

  • hoshikarakitaridia@lemmy.fmhy.ml
    link
    fedilink
    English
    arrow-up
    13
    ·
    1 year ago

    I don’t actually know what bad actors can do.

    Well, you’re not gonna like this but every pentesting / vulnerability scan starts with a port scan. It’s really there to probe a PC for anything interesting. Although it’s not strictly illegal because you’re just kindly asking a PC to handover any meta information on what is currently running on the PC exposed to the internet, the trajectory is clear and in the contrast the goal is opaque which makes it shady af.

    • Trebach@kbin.social
      link
      fedilink
      arrow-up
      8
      ·
      1 year ago

      it’s not strictly illegal

      You’re not gonna like this but the Computer Fraud and Abuse Act in the US is so ridiculously broad that damn near anything that you do to/in a network that the owner doesn’t permit could be illegal.

      • BearJCC@lemmy.sdf.org
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        A law is only as good as it’s enforcement. Combine this with the major questions doctrine infecting our courts any “broad” law can be ignored by the courts on whimsy.

    • TheInsane42@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      A portscan from the outside, I can dig that (still don’t like it), but sneaking one inside your network via a legit webpage (when you see ebay as legit at least) that’s bad.

    • SHITPOSTING_ACCOUNT@feddit.de
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      My guess is fraud detection - detecting when an account is being accessed from the machine of a customer that a phone scammer talked into installing remote access software. It’s of course not 100% but can be used to e.g. increase a risk score.

      Unusual transaction + no other risk factors? Allow. Unusual transaction + other risk factors? Block or require 2FA or similar.

  • Nitrousoxide@beehaw.org
    link
    fedilink
    English
    arrow-up
    7
    ·
    1 year ago

    I cannot fathom what a respectable website would need with a port scan. They should normally just be listening to/broadcasting on 80/443. Is it looking to see if the normal html ports are remapped? That’s the only reason I could imagine.

  • BearJCC@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    The Nice: This is possible because the original web protocol allows sites with CORS disabled to be able to still access 127.0.0.1 This allows for websites to assist in setting up installed programs, and plugged in devices. (Long before the days of Electron) or registering warranty. It can also allow locally installed software to communicate with their web counterparts. Your local Steam website could potentially host a site on 127.0.0.1 and tell steampowered.com what games are installed. It can also be used to see if someone is remoting into your computer (or similarly acting malware) and thusly increasing fraud likelihood score, or asking for 2FA. Think grandmas getting scammed over the phone. This is why it is so prevalent on banking sites.

    The Naughty: This can also be used as part of a larger scheme to uniquely Identify users and help detect fraud. Identifying users speeds up login and can reduce local storage duplication even in the case of cookie clearing. They scan as much data about you as they possibly can: 1rdt and 3rd party cookies, local storage, browser size, screen size, operating system, browser, what extensions do you have installed, what ports you have open, etc etc. Faster login and fraud detection sound like noble goals, but in reality these are used to generate an ad profile about you. The more data they collect on you the higher a price ad agencies will pay to advertise. In some cases they will have your name and DOB (think Google and Facebook) but modern systems are complex enough that they don’t need that anymore. In many cases their match of you is more accurate then a literal fingerprint. Now most people don’t have ports open so I don’t know of, off hand, any websites that are doing this but it’s entirely possible. Did you open a port for World of Warcraft? If so we can target WoW and RPG ads to you, etc.

    The evil However you feel about large corporations fingerprinting your online presence this is a reconnaissance technique used by bad actors to find insecurities on your network and device so they can identify ones to hack.

    Consider this analogy: imagine if a corporation went around door to door checking to see if your door is unlocked. They tell you and the government that the reason they are doing that is to see who is liable to get broken into. They also take this data and use it to send you advertisements for door locks. Now someone else goes around door to door dressed like the corporation and actually breaks into your house. The robber definitely broke the law, but was facilitated by the corporation that was borderline breaking the law.

    If you implement a system where they have to ask before testing your lock (like Brave is) you can get the best of both worlds, but you alone are responsible for identifying bad actors.

  • httpjames
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Browsers already have CORS protections which will block XHR/fetch requests, so I was a little confused before reading the article. I find it interesting how they’re using websockets to bypass that