News – Page 2 – Bootlesshacker's Cybersecurity Blog

eBay is port scanning your system when you visit their website

Something that caught my attention on The Register today – eBay appears to be port scanning computers of their users when they connect to the website.

Potentially, they are doing this to try and prevent those with malware from using their service in an attempt to decrease fraud? It does raise some concerns though. Is what they are doing legal? I know that if I started port-scanning eBay, it definitely would not be considered legal, so why can they do it?

When you visit their website, JavaScript code is executed within your browser which attempts to probe various ports on your system. This JavaScript is executed locally within your browser, so bypasses any restrictions you have in your router firewall. Not only are they testing these ports without consent of their users, but the test being executed is ran locally on a users machine (from within the users network), so is potentially revealing network services that are not even exposed to the outside-world.

In the article written by The Register, it appears they are testing at least 13 different ports. This data then appears to be sent to ThreatMetrix, who are no doubt helping collate this information for eBay.

If you haven’t got a JavaScript blocking plugin installed in your browser (such as NoScript), now is definitely the time to consider installing one. There is no legitimate reason they should be doing this. This is a step too far.

The corporate response to hacks

In case you haven’t heard, EasyJet has recently been subject to a breach involving 9 million customer details, of which 2,200 credit cards were also accessed.

In a statement to the London Stock Exchange, EasyJet claimed they were a target of an attack from a “highly sophisticated source”.

EasyJet may or may not be wrong in their statement, but the words “highly sophisticated” appears to be the default corporate response given from large companies falling foul of a hacking attack. I seem to recall it was only a few years ago when TalkTalk were hacked. TalkTalk were giving off a similar spin: “cyber criminals are becoming increasingly sophisticated and attacks against companies that do business online are becoming increasingly frequent”, only for a minor to be arrested a few weeks later.

The attack method used during the TalkTalk hack was an SQL Injection. As I am sure you’re aware, this is a really trivial vulnerability and is very well understood in the industry. It has also been a known attack vector for decades. It is completely inexcusable that a vulnerability of this nature existed in their systems. If they had taken just basic measures of security, this would have been mitigated.

I will be keen to see more technical detail from EasyJet as it emerges. Is this “highly sophisticated” attack going to be something equally trivial?
TalkTalk were fined £400,000 for their breach, but this was prior to GDPR legislation. The maximum fine allowed under GDPR is €20 million, or 4% of annual turnover (whichever is greater). There could be a fairly significant fine involved here. Fortunately, GDPR seems to have made cybersecurity a board room problem, but these attacks are definitely going to remain fairly common place. The real victims here are not the companies who are hacked, but the customers who entrust their data with a company who take relaxed measures in protecting it.

By the way, in case you didn’t know – Dido Harding (who was CEO of TalkTalk when they were breached), is now in charge of the “Track, Test and Trace” effort as part of the UK response to COVID19. Does this fill you with confidence?