[dndvr]

Surely the websockets angle is a bit of a red herring?

Ebay will have your IP from your request so they can run nmap against your machine from their server without your browser ever knowing about it.

I also know of a bank that does similar via an old school sort of way, their online banking login page tries to load images from urls made up of your IP and various ports.

Presumably these are targeting known ports for online banking malware C&C http traffic rather than remote desktop services though.

And this is a bank that still uses frames 'for security', so it must be an old technique!

[wongarsu]

Websockets bring them past the router and any other hardware firewall or NAT. Also various software only listens to localhost, on the assumption that local traffic is trustworthy.

They could still portscan from afar and it would still be sketchy, but using Websockets makes it worse

[dndvr]

So does using websockets allow you to scan local IP ranges and find other devices on the LAN?

[hedora]

By the rule of all web technology sucks and is untrustworthy, they block 10.0.0.0 and 192.168.0.0, but inexplicably allow 172.16.0.0-172.31.255.255.

(Or at least, that was what someone else claimed last time this came up on HN)

[eganist]

Who's "they" in this context? It's unclear to me if this refers to eBay or browser vendors.

[disposekinetics]

My understanding is it allows them to check for things listening on loopback, given they appear to be checking for SSH tunnels.