Websockets are a handy device that allow for snappier browser/server interactions. Like all useful things, the usual bad actors have found a way to abuse them. It turns out that a Web site you are visiting can port scan your machine’s private address space (localhost
, 128/8) to infer what software you using. Charlie Belmer, who posted the above link, speculates that sites are probably doing this as a way of fingerprinting and tracking although he notes that it may also may be being used as a means of threat detection.
Apparently, a number of major sites are guilty of this behavior. Belmer’s post shows a bit of code that caught Ebay doing it. That sort of behavior is annoying and arguably illegal but it’s easy to shrug it off as small potatoes. That would be a mistake.
Steve Stagg wondered what would happen if after finding an open port, an attacker tried to connect to it. It turns out that it is possible to capture useful data although it’s not really a very efficient exploit. Read Stagg’s post for the details. Stagg didn’t find any evidence that anyone is actually using the exploit but we can be sure that someone, somewhere will find a way to make it pay.
I’m sure browser manufacturers will move to close these holes but in the meantime it would be nice to see an investigation into this sketchy behavior. Maybe it will give some of these companies pause. But probably not.