E-Commerce eBay Probes Visitors' Computer For Open Ports, Researchers Found

eBay magnifying glass

The e-commerce platform eBay has long been one of the most famous online auction places. Its good reputation unfortunately, is followed by a malicious one.

Charlie Belmer, who works on privacy and security for the privacy-focused DuckDuckGo search engine, published a report that eBay has the ability to probe its users when browsing its website using web browsers on Windows operating system, using a method called 'port scanner'.

The auction site popular to auctioning new and used items, was found using a script called check.js that runs a local port scan on visitors' computer to detect remote support and remote access applications.

It was confirmed that eBay.com scans at least 14 different ports on visitors computer.

Security researchers have found that the script is designed to run on all types of visitors, and not just those who have logged in.

What his means, port scans are performed for ordinary visitors who are not logged in, to even visitors visiting eBay using the private browsing or incognito mode of the web browser.

eBay port scanning
The script on eBay's website performing a port scan. (Credit: Bleeping Computer)

Port scanner is simply an application that is capable of probing a server or other host for open ports.

To initiate a communication between a host and a client, a system needs to open a port, and every port has a number assigned to it. It's using these ports that a computer can communicate for a specific function or task.

Port scanners can be used to determine what applications and services are listening on a network, on the internet. Port scanners are also often used by penetration testers in order to find weaknesses that could be exploited. This kind of tools are also popular among cybercriminals for that exact reason.

For hackers for example, port scanners can be deployed on malware to look for open ports that facilitate remote access tools under Windows.

In eBay's case, it could be used for ad delivery, fingerprinting, or fraud protection.

As the port scan is only looking for Windows remote access programs, it is most likely being deployed by eBay to check for compromised computers used to make fraudulent purchases.

eBay port scanning
The 14 different ports that are scanned, and their associated programs, including eBay reference string. (Credit: Bleeping Computer)

When eBay was reached about this issue, a spokesperson for the company issued the following statement:

"Our customers’ privacy and data remain a top priority. We are committed to creating an experience on our sites and services that is safe, secure, and trustworthy."

For a company that deals in the e-commerce industry, this kind of technology can help it thwart fraud. In eBay's case, its port scanner is simply proactive security measures, designed to protect its users from fraud.

Any websites and online services that connect people's finances are expected to offer the best protection against fraud. So port scanning should be a good practice for fraud detection mechanism.

It is said that eBay uses a fraud protection technology called ThreatMetrix.

However, in the world where people are concerning about their privacy, eBay should at least ask for this consent. Companies as influential as eBay, are thriving on trust. But it starts scanning ports without prior warning, and this can feel intrusive. With people having no clear way to opt-out, eBay could be accused of serious infringement of privacy regulations.

This covert port scanning approach is simply a bad thing for eBay, if it wants to continue earning people's trust on its brand.

If eBay has something to say about this deep inside its Terms and Conditions, things should be less of a concern.

Published: 
26/05/2020