Brave Browser is ending behind-the-back port scanning attacks
The next major version of Brave Browser, a Chromium-based browser with a focus on privacy, will prevent sites and apps from accessing local resources without user permission.
Most modern browsers allow access to local resources. In fact, many do not differentiate between local and remote resources, and do not include options to block access to local resources.
While there are legitimate reasons for accessing local resources, a prime example is Intel's driver check application for Windows, which requires local access to function properly, the functionality is also abused. Brave Software notes that security software by banks and wallets for cryptocurrencies may also require local access, but the list is relatively small.
A list of more than 700 port scanning sites was published on GitHub in 2021 by a security researcher. Sites like eBay, Credit24 and many finance sector services were found on that list.
Many of these used the same script to detect potentially hacked computer systems to combat fraud.
Port scanning may also be used for malicious activity, ranging from use in fingerprinting and thus tracking attempts to checking for attack vectors on local systems.
Most popular browsers allow websites to access local network resources without protection or restriction, which puts users’ privacy and security at risk. Many popular websites query your local network, often as a fingerprinting technique; others do so to observe and possibly exploit information from other software running on your machine.
The web browser blocks script known to "maliciously scan localhost resources" and requests from "public sites to localhost resources" already via its built-in filtering functionality.
Brave Browser 1.54 introduces a new localhost permission that gives users control over localhost access of sites. The browser blocks attempts by default, except for a small list of allowed resources that use access for legitimate purposes. The protection includes access to local resources, e.g., images or webpages, that are found on the local system, but also port scanning.
Brave users may give permission to any site to access local resources using this new preference. Some services that users run on their devices and on websites may require access to local resources, and the controls implemented in Brave allow users to give the permission to these services.
Brave Software notes that localhost access from a local context continues to be allowed in the browser.
Other major web browsers, with the exception of Apple's Safari browser, allow localhost access automatically.
Image Credit: Wayne Williams