China Uses Watering Hole Attacks, JSONP Hijacking to Identify Users

Chinese authorities are leveraging watering hole attacks and JSONP hijacking techniques to track down users who might attempt to hide their identity online, according to unified security management and threat intelligence company AlienVault.

The Chinese government keeps a close eye on the country’s Internet with the aid of the Great Firewall and other censorship systems. While the Great Firewall is highly efficient when it comes to tracking users and blocking them from accessing certain resources, the system can be bypassed using virtual private networks (VPNs) and the Tor anonymity network.

Researchers at AlienVault have observed a series of watering hole attacks that they believe allow the Chinese government to identify certain users who might be trying to keep their identity hidden.

It’s not uncommon for Chinese threat actors to use watering hole attacks to target certain user groups or sectors. The attacks analyzed by AlienVault have targeted the visitors of the Chinese-language sites of NGOs, Uyghur communities, and Islamic associations.

These types of organizations have been targeted since at least 2013. However, researchers say the latest series of attacks involve a novel technique.

The attackers first breach the websites whose visitors they are targeting, in this case Uyghur, Islamic and NGO sites. The threat actors then plant a malicious JavaScript file on the hacked website.

This file allows them to collect private information from other online services on which the visitors of the compromised websites are logged in. The attackers accomplish this via a technique known as JSONP (JSON with padding) hijacking.

JSONP allows JavaScript applications to bypass the same-origin policy (SOP) in web browsers and request data from servers on a different domain. JSONP works by taking advantage of the fact that SOP is not enforced on <script> tags.

In the watering hole attacks analyzed by AlienVault, the attackers are leveraging the fact that many popular services are vulnerable to JSONP hijacking. The malicious JavaScript planted by the threat actors uses the <script> tag to make a JSONP request to one of the vulnerable services. The vulnerable website’s response can contain sensitive user information.

The list of websites vulnerable to JSONP hijacking includes baidu.com, taobao.com, qq.com, sina.com.cn, sohu.com, 360.cn, tianya.cn, 163.com, youku.com, jd.com, alipay.com, ifeng.com, gome.com.cn, 58.com, suning.com, ctrip.com, renren.com, and qunar.com.

If the user is logged in to one of these websites when they visit the watering hole site, the attackers can obtain various pieces of information. While in many cases the JSONP request only returns user IDs and usernames, the cyber spies can also obtain nicknames, mobile phone numbers, real names, birth dates, gender, and other data. In some cases, the attackers might also be able to obtain the IP addresses of WebRTC users, experts said.

Researchers believe that any user information obtained as a result of this attack could allow Chinese authorities to identify individuals of interest. 

“Even if the only data the attackers can obtain is a user ID for a specific website, this information can be used to pinpoint targets for espionage within the GFW [Great Firewall],” AlienVault’s Eddie Lee and Jaime Blasco wrote in a blog post.

The fact that Baidu, Taobao and other popular Chinese services are vulnerable to JSONP hijacking has been known for quite some time yet the the issue remains unresolved. According to AlienVault, JSONP hijacking attacks can be prevented by including a random value in all JSONP requests, using CORS instead of JSONP, not using cookies to customize JSONP responses, and not including user data in JSONP responses.