[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: An interesting (probably) fingerprinting technique that should fail
From: |
Bednář Martin |
Subject: |
Re: An interesting (probably) fingerprinting technique that should fail with NBS |
Date: |
Fri, 04 Jun 2021 13:25:02 +0200 |
User-agent: |
Roundcube Webmail |
Hello all,
I have done several experiments and I can confirm that the Network
Boundary Shield (NBS), which is a part of the JavaScript Restrictor, can
prevent port scanning performed by eBay.com. I would like to summarize
my experiments in this email.
First of all, I can confirm that eBay.com really performs port scanning
on localhost. This can be seen in the captured traffic on figure 1 in
the attachment to this e-mail.
When the NBS is enabled, this port scanning is not successful, because
requests to localhost are blocked by NBS and a user is informed of
suspicious behavior. You can see this notifications on figure 2 in the
attachment to this e-mail.
The last step is to send information about open ports to the eBay
server. Here, my experience differs from the information provided in the
article. I think eBay has changed the way of sending information about
open ports. The current version of this requirement, you can see in
Figure 3 in the attachment to this e-mail. Number of params has changed.
And now, all params are encrypted. I was not able to decrypt the
parameters in query, but I am convinced that the information about open
ports is returned in this request.
That's all from my side. Have a nice weekend,
Martin Bednář
Faculty of Information Technology
Brno University of Technology
On 2021-06-03 10:07, Libor Polčák wrote:
Hello all,
I learnt about
https://web.archive.org/web/20200526092506/https://blog.nem.ec/2020/05/24/ebay-port-scanning/.
Long story short: "It’s not just Ebay scanning your ports, there is
allegedly a network of 30,000 websites out there all working for the
common aim of harvesting open ports, collecting IP addresses, and User
Agents in an attempt to track users all across the web. And this isn’t
some rogue team within Ebay setting out to skirt the law, you can bet
that LexisNexis lawyers have thoroughly covered their bases when
extending this service to their customers (at least in the U.S.)."
The scan should be mitigated by the Network Boundary Shield. But it is
something worth a try to make sure that it indeed does.
And it is also something to think about when we are going to decide
what to do with NBS and manifest v3.
The DNS cloacking based on CNAME seems to be quite common technique
which beats (some) adblockers. (uBlock origin was recently patched in
Firefox to use DNS API to detect DNS cloacking) Additional reading at
https://blog.lukaszolejnik.com/large-scale-analysis-of-dns-based-tracking-evasion-broad-data-leaks-included/
(or the linked PETS paper).
Libor
1_captured_traffic.png
Description: PNG image
2_request_blocked.png
Description: PNG image
3_return_request.png
Description: PNG image