Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

China Uses Watering Hole Attacks, JSONP Hijacking to Identify Users

Chinese authorities are leveraging watering hole attacks and JSONP hijacking techniques to track down users who might attempt to hide their identity online, according to unified security management and threat intelligence company AlienVault.

Chinese authorities are leveraging watering hole attacks and JSONP hijacking techniques to track down users who might attempt to hide their identity online, according to unified security management and threat intelligence company AlienVault.

The Chinese government keeps a close eye on the country’s Internet with the aid of the Great Firewall and other censorship systems. While the Great Firewall is highly efficient when it comes to tracking users and blocking them from accessing certain resources, the system can be bypassed using virtual private networks (VPNs) and the Tor anonymity network.

Researchers at AlienVault have observed a series of watering hole attacks that they believe allow the Chinese government to identify certain users who might be trying to keep their identity hidden.

It’s not uncommon for Chinese threat actors to use watering hole attacks to target certain user groups or sectors. The attacks analyzed by AlienVault have targeted the visitors of the Chinese-language sites of NGOs, Uyghur communities, and Islamic associations.

These types of organizations have been targeted since at least 2013. However, researchers say the latest series of attacks involve a novel technique.

The attackers first breach the websites whose visitors they are targeting, in this case Uyghur, Islamic and NGO sites. The threat actors then plant a malicious JavaScript file on the hacked website.

This file allows them to collect private information from other online services on which the visitors of the compromised websites are logged in. The attackers accomplish this via a technique known as JSONP (JSON with padding) hijacking.

JSONP allows JavaScript applications to bypass the same-origin policy (SOP) in web browsers and request data from servers on a different domain. JSONP works by taking advantage of the fact that SOP is not enforced on <script> tags.

In the watering hole attacks analyzed by AlienVault, the attackers are leveraging the fact that many popular services are vulnerable to JSONP hijacking. The malicious JavaScript planted by the threat actors uses the <script> tag to make a JSONP request to one of the vulnerable services. The vulnerable website’s response can contain sensitive user information.

The list of websites vulnerable to JSONP hijacking includes,,,,,,,,,,,,,,,,, and

If the user is logged in to one of these websites when they visit the watering hole site, the attackers can obtain various pieces of information. While in many cases the JSONP request only returns user IDs and usernames, the cyber spies can also obtain nicknames, mobile phone numbers, real names, birth dates, gender, and other data. In some cases, the attackers might also be able to obtain the IP addresses of WebRTC users, experts said.

Researchers believe that any user information obtained as a result of this attack could allow Chinese authorities to identify individuals of interest. 

“Even if the only data the attackers can obtain is a user ID for a specific website, this information can be used to pinpoint targets for espionage within the GFW [Great Firewall],” AlienVault’s Eddie Lee and Jaime Blasco wrote in a blog post.

The fact that Baidu, Taobao and other popular Chinese services are vulnerable to JSONP hijacking has been known for quite some time yet the the issue remains unresolved. According to AlienVault, JSONP hijacking attacks can be prevented by including a random value in all JSONP requests, using CORS instead of JSONP, not using cookies to customize JSONP responses, and not including user data in JSONP responses.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.