🆕 Software Suggestion | Port Authority #2363

New Issue

2021-07-03T16:01:28Z

ACK-J commented

2021-07-03 16:01:28 +00:00

(Migrated from github.com)

Basic Information

Name: Port Authority
Category: Browser Add-ons
URL: https://github.com/ACK-J/Port_Authority
Blog Post: https://www.g666gle.me/Port-Authority/
URL: https://addons.mozilla.org/en-US/firefox/addon/port-authority/

Description

Blocks websites from utilizing javascript to port scan your computer / internal network and dynamically blocks all LexisNexis endpoints from running their invasive data collection scripts. This add-on does not collect any user data ever and all processing happens within the users browser.

This add-on is highly auditable, being only about 150 lines of javascript, not including the GUI. It functions by using this regex I wrote HERE to check if a non-internal IP address ( ex. google.com ) is trying to connect with an address on your local network ( ex. 127.0.0.1:9001 ) if so the request will be blocked. The second thing this add-on does is check every request to see if the domain name (ex. google.com) has a CNAME record that redirects to online-metrix.net, which is a trick they use to pull down an extremely invasive data collection script, which I go more into detail with below.

Example of why this addon is crucial

Go to https://www.chick-fil-a.com/ (temporarily disable ad-blockers) and click sign in, then open up your network console (CTRL + SHIFT + I) and view chick fil a port scanning your computer.

Example of Ebay trying to pull down Lexis Nexis's invasive data script. You can see it reaching out to src.ebay-us.com which is just a CNAME for h-ebay.online-metrix.net.

Here's every endpoint I have found that redirects using a CNAME just like src.ebay-us.com does HERE

Why I am making the suggestion

I was intrigued back in May of 2020 when eBay got caught port scanning their customers. I noticed that all of the articles covering this topic mentioned that there was nothing you could do to prevent it... so I wanted to make one. After going down many rabbit holes, I found that this script which was port scanning everyone is, in my opinion, malware.

Here's why I think that:

The data being exfiled from your computer is encrypted into an image with XOR. (weird)
The domain it reaches out to is made to look legitimate, but redirects using a CNAME record to Lexis Nexis' servers.
It tries to determine your "TrueIP" address even if you are using a VPN / Proxy HERE.
- "Helps detect the use of location and identity cloaking services, such as hidden proxies and VPNs, allowing your business to see the true IP address, geolocation and other attributes."
The javascript is assembled via string.join (like malware often does) and then executed in a service worker.
Each time you load the page the javascript is re-obfuscated.
The script collects 416 pieces of personally identifiable information about you and your network. ( Shown HERE )
There is no lost functionality of a site by blocking these scripts.

So I developed multiple ways to stop this. The first being the existing functionality built into Port Authority. By default, Port Authority will check the sites that your browser reaches out to and if it redirects to Lexis Nexis' infrastructure, it will be blocked and you will receive a notification. The second is a Python script I wrote which uses Shodan to find all of Lexis Nexis' customer-specific domains on the internet HERE. You can add the output of the script to a blocker such as uBlockOrigin to prevent your computer from connecting to them.

Note: This second method will never include every customer-specific endpoint so you are better off using the dynamic blocking built into Port Authority which WILL block every single customer-specific endpoint Lexis Nexis uses.

Most of these sites are using Lexis Nexis's Threat Metrix scripts, Dan Nemec has a great blog post reverse engineering the script and showing all the invasive data collected https://blog.nem.ec/2020/05/24/ebay-port-scanning/

My connection with the software

I wrote the add-on :)

✅I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.

## Basic Information **Name: Port Authority** **Category: Browser Add-ons** **URL: https://github.com/ACK-J/Port_Authority** **Blog Post: https://www.g666gle.me/Port-Authority/** **URL: https://addons.mozilla.org/en-US/firefox/addon/port-authority/** ## Description Blocks websites from utilizing javascript to port scan your computer / internal network and dynamically blocks all LexisNexis endpoints from running their invasive data collection scripts. This add-on does not collect any user data ever and all processing happens within the users browser. This add-on is highly auditable, being only about 150 lines of javascript, not including the GUI. It functions by using this regex I wrote [HERE](https://regex101.com/r/DOPCdB/15) to check if a non-internal IP address ( ex. `google.com` ) is trying to connect with an address on your local network ( ex. `127.0.0.1:9001` ) if so the request will be blocked. The second thing this add-on does is check every request to see if the domain name (ex. google.com) has a `CNAME` record that redirects to `online-metrix.net`, which is a trick they use to pull down an extremely invasive data collection script, which I go more into detail with below. ## Example of why this addon is crucial Go to https://www.chick-fil-a.com/ (temporarily disable ad-blockers) and click sign in, then open up your network console (CTRL + SHIFT + I) and view chick fil a port scanning your computer. ![image](https://user-images.githubusercontent.com/60232273/124360964-90a56f00-dbfa-11eb-816e-354c10979075.png) Example of Ebay trying to pull down Lexis Nexis's invasive data script. You can see it reaching out to `src.ebay-us.com` which is just a CNAME for `h-ebay.online-metrix.net.` ![image](https://user-images.githubusercontent.com/60232273/124361155-a1a2b000-dbfb-11eb-9f85-4f2738f37bdd.png) ![image](https://user-images.githubusercontent.com/60232273/124361296-605ed000-dbfc-11eb-9c53-7f0f2b85f3fd.png) Here's every endpoint I have found that redirects using a CNAME just like `src.ebay-us.com` does [HERE](https://gist.github.com/ACK-J/65dfe84fcf5a06c46364e5f2bd29c118) ## Why I am making the suggestion I was intrigued back in May of 2020 when eBay got caught port scanning their customers. I noticed that all of the articles covering this topic mentioned that there was nothing you could do to prevent it... so I wanted to make one. After going down many rabbit holes, I found that this script which was port scanning everyone is, in my opinion, malware. Here's why I think that: 1. The data being exfiled from your computer is encrypted into an image with XOR. (weird) 2. The domain it reaches out to is made to look legitimate, but redirects using a `CNAME` record to Lexis Nexis' servers. 3. It tries to determine your "TrueIP" address even if you are using a VPN / Proxy [HERE](https://risk.lexisnexis.com/global/en/products/threatmetrix). - "Helps detect the use of location and identity cloaking services, such as hidden proxies and VPNs, allowing your business to see the true IP address, geolocation and other attributes." 4. The javascript is assembled via string.join (like malware often does) and then executed in a service worker. 5. Each time you load the page the javascript is re-obfuscated. 6. The script collects `416` pieces of personally identifiable information about you and your network. ( Shown [HERE ](https://gist.github.com/ACK-J/aa8dceb072d31d97a4e7fe0ef389f370)) 7. There is no lost functionality of a site by blocking these scripts. So I developed multiple ways to stop this. The first being the existing functionality built into Port Authority. By default, Port Authority will check the sites that your browser reaches out to and if it redirects to Lexis Nexis' infrastructure, it will be blocked and you will receive a notification. The second is a Python script I wrote which uses Shodan to find all of Lexis Nexis' customer-specific domains on the internet [HERE](https://gist.github.com/ACK-J/7a2da401c732cbe58479d03acc4e4b43). You can add the output of the script to a blocker such as uBlockOrigin to prevent your computer from connecting to them. Note: This second method will never include every customer-specific endpoint so you are better off using the dynamic blocking built into Port Authority which WILL block every single customer-specific endpoint Lexis Nexis uses. Most of these sites are using Lexis Nexis's Threat Metrix scripts, Dan Nemec has a great blog post reverse engineering the script and showing all the invasive data collected https://blog.nem.ec/2020/05/24/ebay-port-scanning/ ## My connection with the software I wrote the add-on :) - ✅I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.

👍 6

t1011 commented

2021-07-04 09:21:23 +00:00

(Migrated from github.com)

It looks good.

peepo5 commented

2021-07-04 21:37:24 +00:00

(Migrated from github.com)

+1

ACK-J commented

2021-07-05 03:02:53 +00:00

(Migrated from github.com)

@q1011 @peepopoggers <3 Please reach out with any thoughts on how to improve!

yugen-sec commented

2021-07-05 06:34:25 +00:00

(Migrated from github.com)

Good job! Will you be extending this to support Chrome as well?

ACK-J commented

2021-07-05 12:02:58 +00:00

(Migrated from github.com)

@yugen-sec Yea, I'll be working on a port to chrome very soon.

SpitFire-666 commented

2021-07-06 00:54:53 +00:00

(Migrated from github.com)

Hi there, looks interesting. Anywhere I can provide feedback? I found the addon prevented me from logging into Azure/MS Online:

Disabling the addon allows login to work again. Cheers!

Hi there, looks interesting. Anywhere I can provide feedback? I found the addon prevented me from logging into Azure/MS Online: ![image](https://user-images.githubusercontent.com/38451588/124527260-8b3d6400-de48-11eb-9ddd-c8ea71f79771.png) Disabling the addon allows login to work again. Cheers!

ACK-J commented

2021-07-06 02:00:24 +00:00

(Migrated from github.com)

@campbellkerr Yes! Please file a bug report https://github.com/ACK-J/Port_Authority/issues and I will try and fix it asap.

ph00lt0 commented

2021-07-21 13:42:54 +00:00

(Migrated from github.com)

@ACK-J it seems ublock origin now also blocks LAN. Would installing Port Authority have any benefit?

https://teddit.net/r/privacytoolsIO/comments/ooie4u/psa_ublock_origin_added_two_new_stock_filter/

@ACK-J it seems ublock origin now also blocks LAN. Would installing Port Authority have any benefit? https://teddit.net/r/privacytoolsIO/comments/ooie4u/psa_ublock_origin_added_two_new_stock_filter/

ACK-J commented

2021-07-21 20:33:04 +00:00

(Migrated from github.com)

@ph00lt0 No. I'm not exactly sure how their regex stacks up to mine but it probably works fine and will only get better. You can simply use uBlock instead of PortAuthority. rip

👍 1

ph00lt0 commented

2021-07-21 20:35:06 +00:00

(Migrated from github.com)

@ACK-J thanks for your honest answer. Either-way I appreciate that you brought attention to this.

👍 1

ACK-J commented

2021-07-21 20:45:19 +00:00

(Migrated from github.com)

@ph00lt0 Yea of course. I love uBlock and I think this was an area they were lacking in so I'm really excited I was able to bring attention to it. I'm still going to maintain Port Authority if anyone was wondering. I have a beautiful redesign of the GUI coming out in a month or so, working on finishing touches right now but slammed with other work. It allows you to visualize which IP's and ports the site is trying to connect with as well as the domains of the threatmetrix scripts.

👍 4

ph00lt0 commented

2021-07-21 20:48:17 +00:00

(Migrated from github.com)

@ACK-J that sounds very good for doing research. I am not sure if it will be listed because the less add-ons you need the better, but let's see what others have to say.

👍 1

This repo is archived. You cannot comment on issues.