Ask HN: Why does the US Visa application website do a port-scan of my network?

edarchis|6 months ago

Visa application is riddled with scams. From the simple website that charges you twice the price to websites that will tell you that you were rejected and then fake your documents to get in with your name. So they're probably trying to see that you're not one of those web servers, a proxy for them or detect some known C2 channels.

mrtksn|6 months ago

That would be quite clever for an incredibly horrible website. The other day my SO, who is a Turkish citizen, was filling up her visa application and after half an hour of meticulous form filling the system just kick her out. I think the session times out or something. If you haven't created an account or you haven't write down the current application ID everything is lost. In the process she was also directed to a non-.gov website for something during the process, I thought she was getting scammed but no.

It actually makes sense to have a paid service that makes this abomination less painful. Though they work with VFS Global for collecting the applications and relevant documents, the VFS Global itself is an abomination and doesn't help with the handling of the form filling anyway.

Recently EU streamlined the Schengen visa application process for Turkish citizens as those "visa agencies" that are the official agencies and the only way to apply for a visa for many countries don't actually help with anything and are scamming people by selling the "good hours" for the visa appointment on the black market. An agency was dropped for this and the scams by agencies were listed among the reasons to streamline the application process.

Both with US and EU people are losing scholarships etc. due to outrageous wait times that are sometimes are years ahead or there's an issue with the systems handling the applications.

I guess there must be an opportunity there to fix all this together with smaller stuff like handling transliteration and character encodings, I wonder if some of those scam site are not scams and actually help with it. An AI agent can be useful here.

testdelacc1|6 months ago

Another data point - 5he Indian visa system is similar. The official website ending in .gov.in, which is hard to find, offers a visa for $10 and minimal hassle. The scam websites, with better SEO sell the same shit for $80. They’re just proxying your application to the real website and pocketing the difference.

It would be good if the Indian government could block the scammers but I guess it’s a lower priority for the moment.

ChrisRR|6 months ago

I'm not too familiar with network side stuff. What would a port scan be able to detect that would indicate that you're a scammer?

unknown|6 months ago

[deleted]

dns_snek|6 months ago

Huh, how do you imagine that would work? This "scan" is happening inside client-side javascript, delivering the file through a proxy wouldn't "detect" anything about the proxy.

jaimehrubiks|6 months ago

This is a very clever answer.

actionfromafar|6 months ago

If the proxy scams are just a little clever, they'll run the proxy on an another IP.

1oooqooq|6 months ago

it's riddled with scams, and thinking any of this will detect any of the things you mention is very foolish, native and show a total lack of understanding of the scams. of you think using a proxy is essential for visa scam, i would even know where to begin to correct you.

it's one hundred per cent clueless privacy invasion. they are probably also opening ports via other means and using that for side channel ID like Facebook does.

just like any other documentation scam, the only weak point is on the "last mile" that's why you will always have a human interviewer.

the visa process is abusive and unpractical because people will work around any hurdle and their kpi will never be affected no matter how crappy they manage to make to whole process. or how many doge kids implement useless privacy invasion tech just because.

karel-3d|6 months ago

It's coming from a F5 script, which is a company that sells anti-bot protection amid other things. (It's coming from obfuscated script at /TSPD, which is a F5 thing.)

https://www.f5.com/

karel-3d|6 months ago

TS seems to be short for TrafficShield (a product of some company F5 acquired in early 2000s) and PD seems to be Proactive Defense (?)

jpeggtulsa|6 months ago

Isn't F5 the company that makes nginx?

b3lvedere|6 months ago

"Since looking into it, I noticed that uBlock Origin already has the default list "Block Outsider Intrusion into LAN" but it wasn't enabled."

Never knew that this existed. Thank you!

nerflad|6 months ago

Checking out the initial request on github for this feature I wonder why is this necessary? What access to the local network does the browser provide, or need to provide, and why isn't this something developers are more concerned about? I had a feeling this was possible as I see lots of mdns requests when I connect to certain things running sockets.

https://github.com/uBlockOrigin/uAssets/issues/4318

adastra22|6 months ago

I’m flabbergasted that this is even allowed. Who thought it was a good idea to allow any web page you visit to access your local network?

balamatom|6 months ago

Massively improved my security posture with this. Thanks all!

buyucu|6 months ago

Likewise I didn't know it existed, but it was enabled on my laptop and mobile browsers.

dd_xplore|6 months ago

Is that available in lite version too? Now that the origin js being phased out

M95D|6 months ago

I'm using uMatrix and it blocks by default all connections outside the requested site and parent domains. For example, if I request https://mail.yahoo.com, connections to yimg.com are blocked. I need to manually allow each CDN for each website, so this attack/profiling won't work.

Using uMatrix was very annoying at first, most websites are broken without their CDNs, but after a few months or so, the whitelist grew and it contains 90% of websites I visit.

On my system https://ceac.state.gov/genniv/ tries to connect to captcha.com, google-analytics, googletagmanager, 127.0.0.1 and "burp" (a local hostname that doesn't exist in my network). Interestigly, the browser console doesn't list connection attempts to localhost or burp. If I allow 127.0.0.1 and "tcpdump -i lo", I see connections to port 8888, which isn't open.

noja|6 months ago

How does uMatrix handle the Facebook tracking pixel, or the replacement which is the Conversions API Gateway?

This is a container that FB gives you to host that lives under your domain (it can be your main domain) that slurps up user data and sends it to Facebook from the server side. You embed some JS in your website, and they hoover up the data.

thaumasiotes|6 months ago

> On my system https://ceac.state.gov/genniv/ tries to connect to captcha.com, google-analytics, googletagmanager, 127.0.0.1 and "burp" (a local hostname that doesn't exist in my network).

That will be this burp: https://portswigger.net/burp/documentation/desktop/tools/pro...

Sounds like they don't want you to analyze their site.

user070223|6 months ago

uMatrix is archived and I think uBlockOrigin is now advised to use(which incorporate uMatrix by enabling advanced settings)

For those who want to try blocking more stuff you can enable hard mode and bind relax blocking mode keyboard shortcut

I'd recommend also enabling filter lists(I advice yokoffing/filterlists and your region/language)

https://github.com/gorhill/uBlock/wiki/Blocking-mode:-hard-m...

quietfox|6 months ago

It seems to try to check if you are using the Burp Suite on their web application.

samsonradu|6 months ago

How does it manage to hide the requests to 127.0.0.1 from the network tab?

sylware|6 months ago

Whitelisting seems to be the way to go. With IPv6 and OS generated IPs (up to what the ISP domestic router allows) could be very efficient.

lordofgibbons|6 months ago

How and why do browsers allow this? Why wouldn't the browser ask for permission in the same way that it does for Microphone access?

It's insane to allow any random website to port scan my LAN. If this wasn't a "feature", I would have considered this a high severity vulnerability

JJJollyjim|6 months ago

Chrome doesn't allow it - local network services have to opt-in to being fetchable from public sites (https://github.com/WICG/private-network-access), although they're replacing it with a user-permission-based approach (https://github.com/WICG/local-network-access).

(There is some language online suggesting PNA has not actually shipped, but I experienced it myself in stable Chrome several years ago, so I am unsure of the current state).

Firefox doesn't implement either approach -- I assume this is indicative of their lack of development resources.

unknown|6 months ago

[deleted]

e40|6 months ago

That extension has "Access your data for all websites" ... I really don't get how anyone can give that permission to anyone that isn't well known (a company with a lot on the line) or a person famous for their work (the uBO dev) who has stated he will never sell to anyone or do bad things.

"Hacks and Hops" doesn't even have a valid home page. The extension links to https://g666gle.me/ which does not exist. The domain name itself does not want to make me give access to all my data for all websites to them.

As nice as this extension seems, I would ever in a million years install it.

jeffbee|6 months ago

Unfortunately this level of incoherence is almost universal on HN and similar forums. You'd have to be completely out of your mind to install this extension, but people for some reason believe they can install privacy. They got whipped into fearing nebulous online actors so much that they'll download FSB rootkits dressed as VPNs. The minimal set of actions a rational person would take after realizing they've been tricked into installing this extension is setting their entire PC on fire and then running it over with their car, while moving all of their bank accounts to new accounts, in person, and changing all of their passwords using a brand new device.

galaxy_gas|6 months ago

Many sites do it .Included in many standard device fingerprinting / anti anonymity SAAS. Ebay facebook etc all do this ! But it looks this is first party to prevent the adblocking of them

1MB of obfuscated fingerprinting + portscan + Webgl . But oddity this one is trying to find burp suite specific route's.

meitham|6 months ago

Madness! How do I harden my network against that?

ahdanggit|6 months ago

my bank did this on the site they sent me to in order to activate my new card.

dns_snek|6 months ago

The "port scan" just seems to be a local connection to 127.0.0.1:8888. I don't know what purpose it serves on this page, but our government websites often use this technique to communicate with native software for digitally signing documents.

Are you seeing connection attempts to other IPs?

junon|6 months ago

Might also be card readers, debug servers, etc.

Could also be incompetence :D until I fixed it, deploying from my local machine rather than CD resulted in one of the baked in URLs being localhost rather than the public host on the project I'm working on now. Their local development server might just be at port 8888. Wouldn't surprise me.

tifkap|6 months ago

This is most likely an attempt to connect to a webserver on your own device to collect data and/or do tracking.

Remember back in June when Facebook/meta got caught tracking users trough a webserver on Android phone thought Messenger and Instagram? Same thing.

See: https://news.ycombinator.com/item?id=44169115 and https://news.ycombinator.com/item?id=44175940

gethly|6 months ago

Just a little side note - in this context, it makes sense if the website tries to connect to a local port because you might be running a card reader(ie. terminal). This is how it works with some(all?) EU countries that have a chip in their ID cards, or even vehicle registration cards, which you can use to access sensitive information or perform certain administrative tasks on government websites.

Although, from personal experience, it used to require java and it worked only on internet explorer and since it has been retired and replaced with chromium, i am not sure what is the way to make it work nowadays, as i have not been able to figure out to use it when i needed the last time.

layer8|6 months ago

It requires installing a local service that bridges between the browser and the smartcard driver (what Java applets did in earlier years). The web app then communicates with the service via requests on localhost. The card-specific driver and bridge service are often bundled together for installation.

cjrp|6 months ago

I've had it before where it asked me to use an iPhone/Android app which can read the passport's NFC chip. I guess that's the modern replacement for IE/Java.

asimovDev|6 months ago

Embarrassed to say that I wasn't aware of this practice. Are there malicious uses for this beyond fingerprinting?

privacyking|6 months ago

Yes. Facebook was using this trick on Android. Meta's android apps would host a server on localhost, and their sites would communicate with this local server to pass tracking information that would otherwise be blocked by all browser protection methods on Android. I guess it is still fingerprinting, but at the most extreme end.

https://news.ycombinator.com/item?id=44169115

inferiorhuman|6 months ago

Mostly it's great for tracking although I'm sure it could also be used to exfiltrate data (e.g. if the user is running something sensitive on localhost).

https://www.digitalsamba.com/blog/metas-localhost-spyware-ho...

palmfacehn|6 months ago

Routers with vulnerable URLs. You can search for: "router" "authentication bypass".

asimovDev|6 months ago

https://files.catbox.moe/g1bejn.png

When I visit the site from Safari on macOS I see this in the console. Are there any particular services that use port 8888 for the website to do this?

trod1234|6 months ago

Capturing forensic artifacts of the local network allows a building a bridge strategy for identifying fraudulent networks without requiring knowledge of the path taken from destination to recipient. Other local devices do this and send the network map during a phone home, allowing comparison to a source of truth that is tied almost directly to the person, or group of people.

There is also a lot of fingerprintable material within such a port scan from clock skew, TCP ISN, and a few other areas.

You can sieve this quite easily with this available, thanks to Roku's, Phone's, and other things doing this while just sitting locally in a shared collision domain (a digital soldier quartered in every home).

The metadata node graph of devices locally acts as a unique fingerprint once in RFC1918 space, technically not unique but close enough.

vaylian|6 months ago

> Blocks malicious websites from port-scanning your computer/network

How does that work? A browser extension can't influence how your router and other machines in your network react to incoming requests.

ale42|6 months ago

As far as I understand it, it is supposed to be a scan done by the browser on the user's computer, not an external scan, which a browser extension wouldn't be able to detect.

Mashimo|6 months ago

Judging just from the screenshots, it seems it blocks websites from accessing 127.0.0.1 get requests. Not a port scan to the outside, more of what do you have running on the local machine inside your network.

est|6 months ago

but it can hook javascript methods before that scan can happen.

tmdetect|6 months ago

Very interesting. Having looked at NoScript it seems like you can disable LAN as a default value under the allow tab.

tmdetect|6 months ago

Looking further

* uBlock Origin and Lite have it as an option under Filter List > Privacy > Block Outsider Intrusion into LAN

* Brave prevents it, tested with Aggressively block Trackers and Ads.

Maxious|6 months ago

Perhaps to avoid people using misconfigured open proxies https://en.wikipedia.org/wiki/Open_proxy

Like a less sophisticated Tor/VPN that is easily detected by port scans

tzury|6 months ago

Data my friend, data. Ports scanning? Well, tell us about the hosts and the port numbers. Add some logs if you got.

If you did not go into the details, chances are that when you will, this will turned out to be a false positive case.

If you did, where are the evidence?

unknown|6 months ago

[deleted]

jmclnx|6 months ago

If would be interesting to see what happens on OpenBSD. With pledge(2) and unveil(2) in Firefox, I wonder what it would see. I expect it would see nothing.

I will give it a try and see what happens and if I see anything I will add it here.

jmclnx|6 months ago

I saw nothing of note on OpenBSD. I added the plugin and it prompted me an attempt was made to scan the network, it said it blocked the scan

SO, I guess that is going to be used on all my firefox runs.

blablabla123|6 months ago

Have you double-checked whether the IP isn't shared among multiple website domains? That's quite a classic with IP based filtering with hosters like GCP...

gepeto42|6 months ago

They’d likely block you if they detected something like RDP open, cause that would likely indicate you’re hiding your real IP address.

jhoechtl|6 months ago

Checking if you are sharing torrents, run a tor node, mine coins?

77pt77|6 months ago

It's most likely smartcard authentication code.

kolla|6 months ago

My biggest grief with that site is that it's like something from the 90s.

SnuffBox|6 months ago

>like something from the 90s

It looks useful and looks good, there's minimal unneeded whitespace and I'm glad it looks as it does. We'd be better off if the entire web switched to a style like this.

bhaney|6 months ago

As something from the 90s myself, I find this rude.

danw1979|6 months ago

The 1990s web was actually good

yard2010|6 months ago

I think you are confusing something from the 90 with something from the gov

Sohcahtoa82|6 months ago

Looking like something from the 90s would be a feature, not a bug.

In the 90s and early 00s, we did tons of user-testing and feedback collection. We threw all that research away to create UX's that are minimal and "sleek". Tons of unnecessary whitespace and the concept of "Discovery" just thrown into the dumpster. Skeuomorphism was one of the greatest features of 90s-00s software, ironically thrown away as computers got faster and were able to handle the graphics better.

jansper39|6 months ago

These guys need to look at Gov.uk, this site is a total horror show.

thrown-0825|6 months ago

Yeah it should have a fixed header and footer along with a pop-up consent drawer so you can only see 10% of the actual site content.

So much better.

Modern web design is a joke.

AtNightWeCode|6 months ago

Most likely some "antivirus" bs. Probably harmless. Fun fact. Most browsers allow by default GET access to web resources on localhost and LAN. Been used for exploits since last century.

trollbridge|6 months ago

For another example, studentaid.gov doesn’t work in private browsing.

jimt1234|6 months ago

I can one better (worse): A state-run website that my sister frequents for her job requires Internet Explorer. Seriously. I installed a Chrome extension that modifies her user-agent header to IE, and it works fine. Easy work-around, but totally lame.

davsti4|6 months ago

I just tried opening it in a private window and the page loaded and rendered. What part doesn't work?

jeffbee|6 months ago

Isn't it sort of contradictory to try to use private browsing with a service that requires your identity?

soursopfarm|6 months ago

[deleted]

jas-|6 months ago

[deleted]

Wowhappyfun|6 months ago

[deleted]

reneberlin|6 months ago

[deleted]

LoadingXD|6 months ago

[deleted]

vkardco|6 months ago

this is awesome

slyall|6 months ago

Be careful your security tool isn't producing false positives.

I remember years back when people would run these firewalls and we'd get complaints from home users about normal traffic.

Thinks like complaints our mail servers was scanning them on port 25 when they sent email.

252 comments