Jack Cyber-security graduate student interested in researching privacy and security issues.

Port Authority - Stopping Javascript Port-Scanning Once and For All

Port Authority - Stopping Javascript Port-Scanning Once and For All

for Firefox

Port Authority

This project aims to stop websites from using javascript to port scan your computer/network and dynamically block all LexisNexis endpoints from running their invasive data collection scripts.

This addon is free and open-source software (FOSS) all code can be found here: https://github.com/ACK-J/Port_Authority

     
GUIThe GUI with options to toggle the functionality of the addon. Chick-Fil-AChick-fil-A attempting to run ThreatMetrix scripts but being blocked by Port Authority. DiscordDiscord port scans your computer trying to connect with the desktop Discord app.

What does this addon do?

  1. Blocks all possible types of port scanning through your browser (HTTP/HTTPS/WS/WSS/FTP/FTPS) for IPV4 and IPV6.
  2. Dynamically blocks the ThreatMetrix tracking scripts made by one of the largest and least ethical data brokers in the world (Lexis Nexis)
  3. Easily auditable, with the core functionality being about 150 lines of code. HERE
  4. Gives a nice notification when one of the above scenarios are blocked
  5. This addon doesn’t store/transmit any data or metadata about you or your requests… because, ya know, privacy

How to test that it works?

I made a page that can quickly test if all the different forms of port scanning and Threat Metrix scripts are stopped by your browser. PortScanTest

Why I wrote this addon?

I was intrigued back in May of 2020 when eBay got caught port scanning their customers. I noticed that all of the articles covering this topic mentioned that there was nothing you could do to prevent it… so I wanted to make one. After going down many rabbit holes, I found that this script which was port scanning everyone is, in my opinion, malware.

Here’s why I think that:

  • The data being exfiled from your computer is encrypted into an image with XOR.
  • The domain it reaches out to is made to look legitimate but redirects using a CNAME record to Lexis Nexis’ servers.
  • It can determine your “real IP” address even if you use a VPN / Proxy HERE.
  • The javascript is assembled via string.join (like malware often does) and then executed in a service worker.
  • Each time you load the page, the javascript is re-obfuscated.
  • The script collects 416 pieces of personally identifiable information about you and your network. ( Shown HERE )

So I developed multiple ways to stop this. The first being the existing functionality built into Port Authority. By default, Port Authority will check the sites that your browser reaches out to, and if it redirects to Lexis Nexis’ infrastructure, it will be blocked, and you will receive a notification. The second is a Python script I wrote which uses Shodan to find all of Lexis Nexis’ customer-specific domains on the internet HERE. You can add the script’s output to a blocker such as uBlockOrigin to prevent your computer from connecting to them.

Note: This second method will never include every customer-specific endpoint, so you are better off using the dynamic blocking built into Port Authority which WILL block every customer-specific endpoint Lexis Nexis uses.

Most of these sites are using Lexis Nexis’s Threat Metrix scripts. Dan Nemec has an excellent blog post reverse engineering the script and showing all the invasive data collected https://blog.nem.ec/2020/05/24/ebay-port-scanning/

I have no idea. I am not a lawyer, but I have taken a course based on cybersecurity policy and law, where we read about the precedent set for the Computer Fraud and Abuse Act (CFAA). Overall it is a very vague, overreaching law written out of fear due to the 1983 movie “War Games.” To sum it up, any unauthorized access to a protected computer system is a felony. Unauthorized access is primarily defined as bypassing security measures put into place. Well… these websites are bypassing your antivirus software, firewall, VPN, network intrusion detection, NAT, or any other mechanism in the way preventing people on the internet from port scanning your internal network.

The worst part is that these companies know that it is wrong. I mean, read above where I explain the lengths they go to to try and prevent you from seeing what data they collect. Why would you go through the trouble of hiding infrastructure and dynamically obfuscating code to annoy reverse engineers if you weren’t doing something malicious? Actions speak louder than words.

How you can help

I’m not a javascript expert by any stretch of the imagination, so if you see ways to optimize, improve or otherwise fix anything within the add-on, I would be extremely grateful. All the ways to contact me are Here. If you aren’t a programmer by trade but still want to help, I’m always looking for new ways to simplify or increase the speed of the regex https://regex101.com/r/DOPCdB/16.

So What?

I understand that it is very niche to care about privacy, and 99% of Firefox users will not install some random addon. At the end of the day, these sites will happily get their data from the unsuspecting 99%, sell it and hoard it. This is why privacy by default is so crucial, that way not everyone needs to waste hundreds of hours researching some weird privacy invasion, like I did. Collecting data about users is completely fine as long as they give you explicit consent to do so. In this case, websites are bypassing security measures and collecting data about your internal network in secret.

Donations ❤️

If you are feeling generous or really like my work, consider donating or sponsoring my GitHub :) Any small amount helps (even $1).

  • https://github.com/sponsors/ACK-J
  • Monero Address: 42zDzRjrCxadRVDcjWRLWAgsgeiQvB1E2R3j9TaWfLKGFB6YrQTLWj2QE3ioaLwhgK8V9wi29HNKd2gz3yAkGLLCAmQwCk7
  • Z-Cash Address: zs1u6s644dagu62hgq4zhpt2ywma70ccz7y60qsltf96tc7u2uxng3caqhlqnfsh96qlcymzgddaav

Regex Explanation

Test HTTP / HTTPS Portscanning

Test Websocket Portscanning

Test sites that port scan you or otherwise run ThreatMetrix scripts (Wall of Shame!)

  • https://signin.ebay.com
  • https://login.my.chick-fil-a.com
  • https://bestbuy.com/identity/signin
  • https://dazn.com/en-US/account/signin
  • https://login.globalsources.com
  • https://auth.bitbay.net/login
  • https://login.mahix.org
  • https://marcus.com/us/en/login
  • The full list of endpoints can be found HERE.

WARNING

USING SOCKS5 PROXIES WITH THIS ADDON WILL CAUSE DNS LEAKS DUE TO HOW FIREFOX HANDLES CNAME LOOKUPS. FOR MORE INFORMATION SEE HERE https://github.com/ACK-J/Port_Authority/issues/7#issue-925519591

  • There is a simple fix for this. Type about:config in your browser, accept the warning, search for network.trr.mode and change it to 3