Have you been to eBay lately? The auction site is a popular destination to buy new and used items. It may surprise you that eBay is running a local port scan when you access the site in a browser.
I verified the port scan on ebay.com and ebay.de using built-in developer tools of several web browsers. It is likely that other eBay sites will also run the port scan.
You can verify this easily. Use a browser such as Google Chrome, Firefox, Brave, Microsoft Edge or Vivaldi. Open a new Tab page and hit the F12 button to open the Developer Tools of the web browser. Switch to the Network tab in the Developer Tools and load the eBay website in the browser’s address bar.
Wait for the page to load and look for 127.0.0.1 in the name in the list of connections. These are the scans that eBay performs when you connect to the site.
You can click on the connection to look up additional information; doing so reveals the port that is scanned by eBay. The scan is run by check.js, a JavaScript that is executed on eBay when users connect to the site. It uses WebSockets to perform the lookups on the local system using the specified port, and the scans occur regardless of sign-in state.
Bleeping Computer created a handy table that lists the ports:
| Program | Ebay Name | Port |
|---|---|---|
| Unknown | REF | 63333 |
| VNC | VNC | 5900 |
| VNC | VNC | 5901 |
| VNC | VNC | 5902 |
| VNC | VNC | 5903 |
| Remote Desktop Protocol | RDP | 3389 |
| Aeroadmin | ARO | 5950 |
| Ammyy Admin | AMY | 5931 |
| TeamViewer | TV0 | 5939 |
| TeamViewer | TV1 | 6039 |
| TeamViewer | TV2 | 5944 |
| TeamViewer | TV2 | 6040 |
| Anyplace Control | APC | 5279 |
| AnyDesk | ANY | 7070 |
Most of the ports are used by remote desktop applications such as VNC, Teamviewer, or Windows Remote Desktop. The eBay name is an abbreviation of the remote desktop software.
Nullsweep, the site that reported the issue first, discovered that the port scans were not run on Linux client systems.
It is unclear why eBay is running the port scans. A likely explanation is that it is done to combat fraud, e.g. by taking over a computer, establishing a remote desktop connection and either making purchases on eBay, through fake auctions, or other means.
Reactions on Twitter and other social media sites are negative for the most part. Users criticize eBay for scanning ports at all, and for scanning ports of users who are not signed in to the site.
What you may do about it
If you don’t want your systems to be port scanned by eBay whenever you connect to the site, you may be able to do something about it.
- Block the check.js script in a content blocker.
- In some browsers, e.g. Firefox, disable Web Sockets.
The eBay site loads the check.js script from the following URL currently: https://src.ebay-us.com/fp/check.js
Something like ||src.ebay-us.com^*/check.js should work.
The URL may change and it is different when you connect to localized eBay sites, e.g. eBay.de.
The other option, to disable WebSockets entirely, may lead to incompatibilities and loading issues on sites. Still, it is possible in Firefox by setting the parameter network.websocket.max-connections to 0.
(via Born)