eBay web site tries to connect to wss://localhost:xxxxx - is this legit or they have some Malware JS running?

This is ebay running a local port scan over websockets. It has been reported recently:

  • https://twitter.com/JackRhysider/status/1264415919691841536 (original research)
  • https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/ (bleeping computer article)

I don't think it's malicious, but it is bad practice, it's sneaky and erodes user trust. They do it before you accept any T&Cs of any kind allowing probing into your own computer.

Similar tactics are used by banks in more or less open ways (it varies).


There's been some discussion of this recently, e.g. here and here.

Suggested reasons for port scanning include: a) fingerprinting to uniquely identify your machine for future reference, or b) attempting to determine whether your machine is part of a botnet, since botnets often use VNC services over various standard ports to control their bots.


A German computer magazine was writing about this observation last week and asked eBay for a statement.

eBay's answer was:

There is some widely spread software that is either Malware or legit software which can be miss-used to steal the eBay password. This software is listening on certain TCP ports.

By trying to establish a connection to these TCP ports, the (JavaScripts of the) eBay web site tries to find out if such software is currently running.