Brave Aims To Curb Practice of Websites That Port Scan Visitors

An anonymous reader quotes a report from Ars Technica: The Brave browser will take action against websites that snoop on visitors by scanning their open Internet ports or accessing other network resources that can expose personal information. Starting in version 1.54, Brave will automatically block website port scanning, a practice that a surprisingly large number of sites were found engaging in a few years ago. According to this list compiled in 2021 by a researcher who goes by the handle G666g1e, 744 websites scanned visitors' ports, most or all without providing notice or seeking permission in advance. eBay, Chick-fil-A, Best Buy, Kroger, and Macy's were among the offending websites.

Some sites use similar tactics in an attempt to fingerprint visitors so they can be re-identified each time they return, even if they delete browser cookies. By running scripts that access local resources on the visiting devices, the sites can detect unique patterns in a visiting browser. Sometimes there are benign reasons a site will access local resources, such as detecting insecurities or allowing developers to test their websites. Often, however, there are more abusive or malicious motives involved.

The new version of Brave will curb the practice. By default, no website will be able to access local resources. More advanced users who want a particular site to have such access can add it to an allow list. The interface will look something like the screenshot displayed [here]. Brave will continue to use filter list rules to block scripts and sites known to abuse localhost resources. Additionally, the browser will include an allow list that gives the green light to sites known to access localhost resources for user-benefiting reasons. "Brave has chosen to implement the localhost permission in this multistep way for several reasons," developers of the browser wrote. "Most importantly, we expect that abuse of localhost resources is far more common than user-benefiting cases, and we want to avoid presenting users with permission dialogs for requests we expect will only cause harm."

"As far as we can tell, Brave is the only browser that will block requests to localhost resources from both secure and insecure public sites, while still maintaining a compatibility path for sites that users trust (in the form of the discussed localhost permission)" the Brave post said.

Any add-on for Firefox to block this stuff?

[caseih]

I guess I'm living under a rock because I've not heard of this insidious behavior before. Is there anything I can add to Firefox to block this? Will firefox add a control to allow or disallow localhost ws connections?

Re: Any add-on for Firefox to block this stuff?

[e065c8515d206cb0e190]

Same here. How does that even work? Server side script parsing Apache logs and running nmap on collected IPs?

Re: Any add-on for Firefox to block this stuff?

[Arnonyrnous Covvard]

Web sockets are not bound by the same-origin policy. You can literally have a script on your web site which connects to arbitrary IP addresses and ports from the client's browser. The only hurdle is that the socket can not be used by the script if the server on that address and port doesn't respond with the web socket protocol. That is not sufficient protection against port scans, and any web socket service you may have on your LAN is fair game anyway, for any website that can run scripts in your browser (that includes ad scripts). This feature brought to you by the same idiots who thought that web sites need to know how much battery you have left and many more stupid information leaks.

Re:

[e065c8515d206cb0e190]

Can one disallow nasty JavaScript functions? Without impairing the rest?

Re: Any add-on for Firefox to block this stuff?

[arglebargle_xiv]

And as an add-on, WTF would any browser ever allow this by default?

Random malware: "Hi, I'd like to port-scan your internal network"
Browser: "Sure, go right ahead, and let me know if you need any help"

Re:

[AmiMoJo]

Javascript could already establish HTTP/HTTPS connections to arbitrary IP addresses. So can HTML for that matter. Malware would use HTML that tried to load known image files from popular and vulnerable consumer routers, using the default IP address (usually 192.168.0.1) and then use Javascript to see if any of the images loaded.

WebSockets are just a lightweight alternative to HTTPS for transferring data to "live" websites that update their content via Javascript. Think chat apps like Discord, weather and tr

Re:Any add-on for Firefox to block this stuff?

[rmdingler]

Port Authority for Firefox blocks websites from using javascript to port scan your computer/network.

Since this defense has been available for a couple of years, is there any insidious effort afoot by the port jackers to circumvent?/p?

Re:

[caseih]

Thanks for the tip. I've immediately installed it. It seemed to alert me and block the attempt by ebay to run the nexislexis port scan so that's good.

I don't think there's anything new. Just that Brave is baking blocking right into their browser so no add-ons are required.

Re:

[AmiMoJo]

Have you found that eBay still works? I find it's okay with uBlock Origin blocking its port scans.

The only websites I've found to consistently break with privacy enhancements are airline sites. Fortunately I don't need to use them very often.

Re:Any add-on for Firefox to block this stuff?

[RitchCraft]

uBlock Origin has been port scan blocking since 2020. https://www.bleepingcomputer.c... [bleepingcomputer.com]

Re:

[caseih]

Good to know. Port Authority still reported an attempt, though, when I visited E-bay.

Re:Any add-on for Firefox to block this stuff?

[arglebargle_xiv]

uBlock Origin blocks known scripts that do the scanning, not the scanning itself. Port Authority looks for attempts to interact with Lexis Nexus and blocks scripts based on that behaviour. I don't think either of them block scanning in general.

If anyone knows of an extension that does do this, or if any Firefox developers who aren't busy working on the next all-important UI refresh are reading this (if there are any, that is), let the world know.

Re:Any add-on for Firefox to block this stuff?

[nmb3000]

uBlock Origin blocks known scripts that do the scanning, not the scanning itself.

Yes and no. A new privacy filter was added around a year ago [reddit.com] specifically to block intrusion into the local LAN (see the filter here [github.com]). It can be enabled under:

uBlock Settings > Filters > Privacy section > Block Outsider Intrusion into LAN.

I haven't tested it (this issue just having come to my attention, like many others), but it seems like it should block all requests, including WebSockets (used for port scanning). You'll probably have to disable uBlock when on some LAN-hosted pages (like Plex or NAS or router config, etc) or things may break. There are tips in that Reddit thread about unblocking specific hosts. I guess you could also add the $websocket filter option [adblockplus.org] to each entry in the privacy filter and save it as custom rules instead, so that it only blocks web sockets.

Re:

[arglebargle_xiv]

Thanks for that! Just enabled it (it's disabled by default) and tried a pile of LAN stuff, NVR, NAS, IP phone, WiFi APs, a pile of embedded systems devices, and all of them worked fine with it. So definitely worth enabling if you don't have it enabled already.

Re:

[geekmux]

Port Authority for Firefox blocks websites from using javascript to port scan your computer/network...

C'mon now. How about a golf clap for marketing.

Seriously. Great name for that service. Heh.

Re:

[Opportunist]

Marketing can get a golf club if they really want. Right over the head.

Re:

[dargaud]

Is there a technical reason why browsers need a port scanning function built-in ?!? It seems completely stupid. And, let me guess, the scan comes from localhost, so it bypasses many firewalls that'll block scans from outside, right ?

Re:

[cstacy]

I guess I'm living under a rock because I've not heard of this insidious behavior before.

Misread as "living under a root" (kit), but that's my reaction too. Most web sites are read off a CDN, anyway. And port scanning everybody who shows up? Sounds incredibly expensive. What web sites are doing this? Is it just some "dark web" sites for soliciting child porn drug murder cryptocurrency "tech support" via anyDex out of Pakistan?

Wow. Just wow.

[Baron_Yam]

I was thinking these sites were running port scans against unique public IPs visiting them. But to see this is something they request your browser to do on their behalf, to do a port scan at your local system, and that ability is actually built in to your browser with no security?

That's bananas. No web site script should ever be allowed to do ANYTHING other than send my in-window actions back to the web server unless a nice, big "pretty please" security box pops up requiring me to approve it.

Re:

[The MAZZTer]

Actually, all modern web browsers will block attempts to connect anywhere but the original website, with some exceptions (most notably, it will query the website requested to see if it is OK to allow a cross-site request from the original site).

My guess is there is some sort of timing attack going on to detect the difference between a rejected connection and one that the browser blocks after it queries the site to see if it should be allowed. Or there is an indirect method such as referencing a url using a

Re:Wow. Just wow.

[Tailhook]

My guess is there is some sort of timing attack

You don't need to rely on guesswork. The facts are that some browsers do indeed permit requests to 127.0.0.1 and other "local" addresses from JavaScript. Today. Not at some point in the distant past.

Why? Various reasons, all bad. You can read about it in W3's documentation here [w3.org], where 127.0.0.0/8 is explicitly called out as an exception that browsers "may" consider "potentially secure," and thus allow requests, even if responses to those requests are not consumable by JavaScript due to SOP.

If you're still not convinced, go to ports.sh [ports.sh] and test your browser now. If you're foolish enough to be using Firefox in 2023 you will discover that your browser can indeed scan your local ports for open services.

So Baron_Yam's astonishment that this can occur in our day-in-age is not misplaced. There are indeed some browsers still demented enough to permit it.

Also, if you haven't been running Brave as you're go-to browser for at least 2 years now you're a bonehead. Just so you know.

Re: Wow. Just wow.

[RegistrationIsDumb83]

I suppose there is a valid case for browser JS communicating bidirectionally with desktop apps. For instance, being able to be already logged into a website and then sync auth credentials with a desktop app. (Discord seems to do the inverse of this for logging into their support website.) But, that said, it should definitely be opt-in. Especially if asshats like Lexis Nexis is anywhere near it.

Re:Wow. Just wow.

[mosch]

Thank you for the pointer to ports.sh. At a quick glance, it looks like Brave, Safari, and Chrome did not allow the scan, but Firefox did.

Re:

[b3nparker]

Results from running https://ports.sh/full [ports.sh] on my Mac with latest browser versions and no blocking add-ons:

Chrome Version 114.0.5735.198 (Official Build) (arm64) happily ran the scan in an incognito window, It found 4 open ports in the full 65,535 scan.

Firefox Version 114.0.2 (64-bit) runs the scan but the webpage does not update, although the Developer Tools Console shows the scan running. It found no open ports. For the same ports that Chrome found open, FF console logs show as not open.

Brave Versi

Re:

[b3nparker]

I always forget Safari exists ... Safari Version Version 16.5.1 (18615.2.9.11.7) ran the full scan, the webpage updates, and finds no open ports. The same four ports that Chrome shows as open, Safari console output logs as closed.

Re:

[betsuin]

> If you're still not convinced, go to ports.sh [ports.sh] and test your browser now.
> If you're foolish enough to be using Firefox in 2023 you will discover that your browser
> can indeed scan your local ports for open services.

Umm, I ran the script at ports.sh (after turning off NoScript) on my Mac's installed FF:

TCP Port Scanner, Written in Go, Compiled to WebAssembly.
Open Ports:
Open:

Got a whole lot of nothing - not sure what your talking about

Re:

[jbmartin6]

One possibility is that you don't have any ports open on 127.0.0.1, or maybe you toggled on strict anti-fingerprinting options. I am just guessing, I have no direct knowledge of the matter.

Re:

[b3nparker]

Check the Javascript Console while the script is running. You will see the port scan, but in my case FF did not find the same open ports that Chrome found.

Re:

[Somanorg]

If you're still not convinced, go to ports.sh [ports.sh] and test your browser now. If you're foolish enough to be using Firefox in 2023 you will discover that your browser can indeed scan your local ports for open services.

Just tried ports.sh with both Chrome and Firefox and it came back with nothing. Chrome has Ad Block Plus running and Firefox not

Re:

[b3nparker]

Did you try the full 65535 port scan?

Re:

[myrdos2]

If you're foolish enough to be using Firefox in 2023 you will discover that your browser can indeed scan your local ports for open services.

I'm using Firefox 2023 and that website doesn't work. Sadly, a lot of my "I'm using Firefox" stories end that way these days...

Re:

[WaffleMonster]

Actually, all modern web browsers will block attempts to connect anywhere but the original website, with some exceptions (most notably, it will query the website requested to see if it is OK to allow a cross-site request from the original site).

The cross-site restrictions are for shit like sharing cookies, http authorizations, etc. Nothing stops a site from actually hitting remote (or local) servers. It's just that auth context is kept separate. webrtc bits can also be particularly nasty for local fingerprinting.

I don't get it

[Rosco P. Coltrane]

Brave is a browser. It makes TCP connections to certain ports. It certainly isn't in charge of my firewall, nor does it have permissions to fuck around with it - nor could it, because my firewall doesn't reside on my desktop machine.

So what the hell is Brave talking about? There's technically nothing they can do to "stop port scanning": whoever is doing the port scanning will be doing it against my internet-facing firewall, totally unbeknown to the Brave browser.

As for fingerprinting me through port scannin

Re:I don't get it

[Arnonyrnous Covvard]

Websockets can by used to make connections from your browser, i.e. from inside your LAN, behind your internet-facing firewall. The same-origin policy does not apply.

Re:

[Rosco P. Coltrane]

Hmm right, I didn't know that. Thanks for the information!

Brave

[sysstemlord]

That's why Brave is and has been my browser of choice for about a year. its features are so well done that you rarely need third party extensions to get the main things.

What if the origin is localhost?

[dgatwood]

I'm assuming they aren't blocking connections to localhost when that's the page origin. If so, that would make website development a lot harder.

Either way, assuming these actually have a valid purpose, then blocking the request and making the user manually add a site to an allowlist so that the website won't break is entirely the wrong solution.

A more user-friendly approach would be to show a dialog upon the first connection to localhost from a given site saying, "This website wants to connect to an applic

Browser side Javascript is evil.

[Larsen E Whipsnade]

I've always hated it, always distrusted it. Disable it when I can.

(Can't think of a concrete reason to hate node.js, but it bugs me in a suspicion-by-association way.)

Brave is useless

[groobly]

Every time I have tried to use Brave, nothing works on any website I am trying to look at, and I don't have the patience to figure out the 18 things I need to enable to get it to work. Brave is essentially the same thing as disabling the web, which maybe is the right thing to do in the first place.

Re:

[ConceptJunkie]

Brave has been my primary for about 4 years now, and I very rarely have any problems. I've never had to do any weird configuration to make things work.