From Security Weekly Wiki
Jump to navigationJump to search


eBay users spot the online auction house port-scanning their PCs. Um... is that OK?

Put this one in the “wait, you’ve gone too far” category. eBay is obviously going to be worried about fraud and takes steps to prevent it on their platform. However, a security researcher named Charles Belmer spotted activity on eBay that goes beyond what I feel is reasonable for fraud detection. Belmer had heard that some sites are performing port scans against visitors computers and had been tipped off that eBay had this running. So he started looking into it to determine what he could find.

First, he visited eBay using his normal use host, which runs Linux. He didn’t see anything that looked unusual, so he thought that perhaps he needed to visit them using Windows. Sure enough, when visiting the site using Windows, he observed JavaScript running on the host to making connection requests to local host on ports associated with remote access services. The code checks for VNC, RDP, and others.

The Register picked up on Belmer’s initial blog post and followed up with some additional information that they found during their investigation. It turns out that the code being run in the browser comes from a company named ThreatMatrix, which is a subsidiary of LexisNexis. The Register article gets into the data that is sent back to the company, which includes the port scan results, public IP address, and other data points.

This leads to ask, is this even legal? The answer is maybe. Whether it is legal or not, it seems very intrusive and I have no idea how knowing that someone is running RDP will prevent fraud. The Register article is quick to point out that eBay is not doing anything follow up activity on the PCs using the results of the scan. But shouldn’t there be some boundaries to what companies are willing and allowed to perform to check for signs of fraud?

In all the security training that I’ve taught and been a student in, we always get into the idea that we need to get permission for interacting with someone’s computer and network like this. Written permission is always a key component, but I’ve given eBay no permission to scan my computer just by visiting their site. I’m sure a lawyer will point to a Terms of Service page somewhere on their site that says that by using the site, I consent to such activity. Maybe that makes it legal, but a casual user of the site likely has no idea where this is and few of us were likely aware that this is going on.

I’m not a fan of this. I think this is dodgy, regardless of whether it is legal or not. I do understand the need to prevent fraud and making sure your customers have confidence in the platform they are using, but there are limits to what organizations should do to ensure that confidence. Running a port scan, while not dangerous, seems to go beyond limits that I find reasonable. You may decide to use sites that perform this type of activity because of the benefit you derive from it. That’s fine, but be aware of this type of activity if it of concern to you.

Finally, eBay responded to The Register’s request for information about the port scanning. They said that eBay is, and I quote, “committed to creating an experience on our sites and services that is safe, secure and trustworthy.” In other words, they gave a non answer while at least sending an email to the reporter. Bleh.