We’ve recently learned about a new and intrusive trend where several well-known websites port scan your computer without prompt just by visiting them. The original article is linked here.
What’s port scanning?
First of all, a port scanner is an application designed to probe a server or host for open ports, which are often used by attackers to identify network services running on a host and to exploit vulnerabilities. A port is a communication endpoint that allows applications and services to communicate. When you check your email for example, you’re accessing it via an open port(s) on the email server. Typically when you port scan someone, you target their internet-facing firewall. By default, most firewalls have all inbound ports closed, and this scan would warrant nothing of interest.
In this situation, the technology being used is an advanced feature in all browsers that allows websites to bypass your existing firewalls in order to determine what ports are open on your particular computer. This is intrusive, to say the least.
Why are they even scanning your ports?
Well-known websites (think eBay) are currently port scanning you in the name of fraud protection. The apparent reason they’d do this is to detect potentially hacked computers making fraudulent purchases. E.g., you were infected from an email phishing attack, and hackers install a remote control tool like TeamViewer that could allow hackers to take over your computer and try to make fraudulent purchases during your logged-in browser session. This technology could flag a transaction as risky if their port scanner discovered TeamViewer. However, there are legitimate uses for TeamViewer, such as when your IT Company is helping you with a computer problem remotely. How this technology can tell the difference between malicious and legitimate uses of Teamviewer or similar software is unknown to us, and we question its effectiveness.
Popular websites (Lendup, BeachBody, Citibank, Ameriprise, TD Bank, WePay, etc.) are using port scanners similar to eBay in the name of thwarting fraud, per the linked article.
Why should you care?
The question is: are these port scanners an invasion of privacy? Many IT people on the popular social platform Reddit who understand the underlying technology find it to be an intrusive privacy risk, even if the intentions of these businesses’ websites are pure.
Here are the issues we have with it:
1. If it was obvious that popular websites were using features of your browser to bypass your firewalls and port scan your computer, would you still visit that website?
Probably not or you’d at least want to block that technology if possible.
2. It’s likely these websites are using port scanning to better flesh-out your fingerprint in their database. A fingerprint is a collection of unique information about your browser (which happily shares details about your computer, e.g., your operating system, screen resolution, and more) along with other factors to identify you before you’re authenticated. For example, after logging into a bank account, you may see a prompt “trust this computer”. This really means “remember this fingerprint in your database”. Its primary reason for existing on a bank website is to make the login process quicker. After you select “trust this computer”, next time you may not have to enter in an authentication code texted to you for example. This is because your fingerprint matched the one in the database, and they only need the one factor (your password) to authenticate you. In this case you would be giving away some privacy and/or security for the convenience of a quicker login.
With that said, what exactly are these websites tracking in their fingerprint database about you and who is it shared with?
3. Imagine if your computer’s port scan information was collected by, or shared with, ad companies.
It’s well known that big ad companies (Google, Facebook) build elaborate ad profiles on your key data points so you can be tracked and targeted with ads relevant to you. For example, when you search for camping gear, you may see ads for tents on any major websites running ads long after your search. These ad companies also create super-fingerprints that work across devices, e.g., your profile has all your fingerprints tied together so ads can follow you from your phone to your home computer or your tablet.
If this port scan included data, such as what types of software you’re running, this is a new dataset that they can use to target you. One example is that Quickbooks Desktop uses port 8019. Could this port scan technology catalog this information and add it to your ad profile? Will you be targeted with a competing solution to Quickbooks because this intrusive port scan happened in the background while you were shopping online?
4. Now the scary part, what if malicious actors gain access to data about your computer’s port scan? If hackers could buy a list of businesses running Quickbooks Desktop, for example, they could create a very targeted phishing campaign with a higher chance of success.
What can you do about it?
There are options to block the script facilitating the port scan. uBlock Origin and Adblock ad blockers can be loaded with a blacklist to stop the currently known list of scripts (spreadsheet located here). The problem is this list will never be 100% up to date, and port scans will happen as long as companies keep doing it and browser technology allows it.
We need major websites to stop using “behind the firewall port scanning” solutions.
We need browsers to disable port scanning of this nature by default or to require a prompt asking permission before a scan is run.
Please contact us if you have any questions.