Connect with us

Hi, what are you looking for?


Malware & Threats

China Uses Watering Hole Attacks, JSONP Hijacking to Identify Users

Chinese authorities are leveraging watering hole attacks and JSONP hijacking techniques to track down users who might attempt to hide their identity online, according to unified security management and threat intelligence company AlienVault.

Chinese authorities are leveraging watering hole attacks and JSONP hijacking techniques to track down users who might attempt to hide their identity online, according to unified security management and threat intelligence company AlienVault.

The Chinese government keeps a close eye on the country’s Internet with the aid of the Great Firewall and other censorship systems. While the Great Firewall is highly efficient when it comes to tracking users and blocking them from accessing certain resources, the system can be bypassed using virtual private networks (VPNs) and the Tor anonymity network.

Researchers at AlienVault have observed a series of watering hole attacks that they believe allow the Chinese government to identify certain users who might be trying to keep their identity hidden.

It’s not uncommon for Chinese threat actors to use watering hole attacks to target certain user groups or sectors. The attacks analyzed by AlienVault have targeted the visitors of the Chinese-language sites of NGOs, Uyghur communities, and Islamic associations.

These types of organizations have been targeted since at least 2013. However, researchers say the latest series of attacks involve a novel technique.

The attackers first breach the websites whose visitors they are targeting, in this case Uyghur, Islamic and NGO sites. The threat actors then plant a malicious JavaScript file on the hacked website.

This file allows them to collect private information from other online services on which the visitors of the compromised websites are logged in. The attackers accomplish this via a technique known as JSONP (JSON with padding) hijacking.

Advertisement. Scroll to continue reading.

JSONP allows JavaScript applications to bypass the same-origin policy (SOP) in web browsers and request data from servers on a different domain. JSONP works by taking advantage of the fact that SOP is not enforced on <script> tags.

In the watering hole attacks analyzed by AlienVault, the attackers are leveraging the fact that many popular services are vulnerable to JSONP hijacking. The malicious JavaScript planted by the threat actors uses the <script> tag to make a JSONP request to one of the vulnerable services. The vulnerable website’s response can contain sensitive user information.

The list of websites vulnerable to JSONP hijacking includes,,,,,,,,,,,,,,,,, and

If the user is logged in to one of these websites when they visit the watering hole site, the attackers can obtain various pieces of information. While in many cases the JSONP request only returns user IDs and usernames, the cyber spies can also obtain nicknames, mobile phone numbers, real names, birth dates, gender, and other data. In some cases, the attackers might also be able to obtain the IP addresses of WebRTC users, experts said.

Researchers believe that any user information obtained as a result of this attack could allow Chinese authorities to identify individuals of interest. 

“Even if the only data the attackers can obtain is a user ID for a specific website, this information can be used to pinpoint targets for espionage within the GFW [Great Firewall],” AlienVault’s Eddie Lee and Jaime Blasco wrote in a blog post.

The fact that Baidu, Taobao and other popular Chinese services are vulnerable to JSONP hijacking has been known for quite some time yet the the issue remains unresolved. According to AlienVault, JSONP hijacking attacks can be prevented by including a random value in all JSONP requests, using CORS instead of JSONP, not using cookies to customize JSONP responses, and not including user data in JSONP responses.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.