web browser

Brave browser will prevent websites from port scanning visitors

If you use Brave browser, then you’re shortly going to find you have a new string added to your security bow. Websites performing port scanning will now be automatically blocked beginning with version 1.54 of the browsing tool.

Port scanning, I hear you cry? Yes indeed. You may well not have even been aware that sites do such a thing. You may expect some antics related to cookies and perhaps the occasional tracking beacon, but port scanning?

Who is doing this and why?

Well, let’s start at the beginning with a rundown of what port scanning actually is. Port scanning involves scanning a computer network for open ports, which can then be exploited by individuals up to no good to gain unauthorised access or gather information about potential system vulnerabilities. It’s worth noting that scanning is not by default a malicious activity. For example, an organisation’s IT team may do this to ensure everything is working as expected and close any potential gaps which may have been missed.

As Ars Technica notes, a 2021 list of sites compiled by a researcher makes it clear that many major sites are, or have been, involved in this practice. Brave claims that many popular browsers allow websites to “access local network resources without protection or restriction, which puts users’ privacy and security at risk.”

The issue Brave is tackling is one related to how browsers typically work. While you may think everything is being served up from the web, some aspects of what you see in a browser are being hosted by software on your computer. Browsers are allowed to access these resources, and, on top of that, some software has been built to be accessible to websites with no malicious intention behind it. From the Brave update website:

…a small but important amount of software has been built expecting to be freely accessible by websites, often in ways invisible to users. And many of these uses are benign. Examples include some wallets for cryptocurrencies, security software provided by banks or security companies, and hardware devices that use certain Web interfaces for configuration.

Now we come to the crunch. Lots of dubious software can use the access to localhost resources to get up to mischief. As Brave explains, fingerprinting scripts will try to figure out the combination of software running on your system. By doing so, someone now has a picture of you built up and can potentially track you across the web. They could also try to determine if you have some vulnerable products running on your device and then come back with an exploit.

From Brave version 1.54 and up, this will no longer be possible. Brave already blocks scripts known to maliciously scan localhost resources and block requests from public sites to localhost resources. This is what the new version will do:

  • Requests to localhost resources, from a localhost context are allowed automatically; Brave does not block a locally hosted page from accessing other locally hosted resources. 1
  • Brave will continue to use filter list rules to block scripts and sites known to abuse localhost resources.
  • Brave will include a new permission called the “localhost” permission. Only sites with this permission will be able to make sub-resource requests to localhost resources. By default, no sites have this permission and, importantly, most sites have no way to prompt users for this permission. However, advanced users can use the existing site settings interface to grant sites this permission. 2
  • Brave will also include a list of trusted sites, or sites known to access localhost resources for user-benefiting reasons. The first time a site on this list initiates a sub-request to a localhost resource, it will trigger a permission prompt of the previously mentioned localhost permission. This list is publicly available, and will be maintained by Brave.

The thinking behind this is that abuse of localhost resources is more common than it being used for beneficial actions. The Brave developers also don’t want to waste users’ time with lots of popups asking permission to do things that they expect “will only cause harm”.

Brave mentions that only Safari browser currently really does anything significant in this area, and that’s more of a “side-effect of security restrictions” rather than deliberate targeting. It remains to be seen if other browsers will jump on the localhost resource blocking bandwagon, but it probably wouldn’t be a bad thing if they do.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.