This is a short update to my Websockets: Why We Can’t Have Nice Things post. That post discussed a tactic used by several Web sites that uses Websockets to scan for open localhost ports. There was some speculation that this was in service of an attempt to determine if remote processes were running on the computer, a security risk. Whatever the original purpose, Steve Stagg discovered that it was possible to connect to these ports and recover possibly sensitive data.
Bleeping Computer has an update on the matter that among other things lists some or all of the sites using this tactic. Their article also sheds light on the reason for the port scanning. It turns out that—at least on the part of the major sites—it is a security measure. You can read their article for the details but the TL;DR is that they’re all running a script from Lexis Nexis’ Threat Matrix service that performs the port scanning.
I expect that the browser manufacturers will soon put an end to this—especially in light of Stagg’s revelations—and, in fact, it’s already possible to disable it in Firefox. In the mean time, I doubt that this is really anything to worry about. It’s more about the audacity of Web sites thinking they have the right to run any code they want on our machines. Just imagine their response if we uploaded code to their servers to help prevent the download of malware. This sort of thing really needs to be made illegal.