Sergey Nivens - Fotolia

Chinese hackers are by-passing web privacy tools, say researchers

A new Chinese watering hole attack is exposing the details of visitors to certain websites even if they are using Tor browsers or VPNs, researchers have found

Chinese hackers are using a new watering hole attack to circumvent popular web privacy tools, according to researchers at security firm AlienVault.

These attacks commonly target particular groups through certain websites, which in this case include international non-governmental organisations (NGOs) and Uyghur and Islamic websites.

The attackers compromise websites used by the groups and include malicious content that is executed when users access the affected websites.

The researchers found that Chinese hackers are exploiting vulnerabilities in China’s most-visited websites to target individuals accessing web content state censors consider hostile.

Even users deploying popular web privacy tools, such as TOR browsers or virtual private network (VPN) connections, to bypass government surveillance are vulnerable to this latest watering hole attack.

The attack uses a novel technique AlienVault researchers said they have not seen before with watering hole attacks

First, the attackers compromise several Chinese-language websites associated with NGOs, Uyghur communities and Islamic associations.

Next, the attackers modify the content of the website and include a JavaScript file from a malicious server that exploits JSONP hijacking vulnerabilities in more than 15 different Chinese websites, including the four most popular sites.

JSONP is a widely used technique to make cross-domain JavaScript requests that bypass the same-origin policy. However, bypassing the same-origin policy can lead to information leakage between different origins or domains.

Using JSONP requests, the attackers are able to bypass cross-domain policies and collect a user’s private information if the user is logged in to one of the affected services.  

The JavaScript code then sends the user’s private data to an attacker-controlled server.

Read more about watering hole attacks

  • Spear phishing remains popular in targeted attacks, but watering hole attacks are gaining favour.
  • Expert Nick Lewis analyses techniques employed by watering hole attacks and discusses how to use a secure VM to defend enterprises against them.

According to Jaime Blasco, vice-president and chief scientist at AlienVault, the JSONP vulnerability was first publicised in 2013, but the affected sites did not patch the problem, making these most recent attacks possible.  

He said this campaign has been targeting a very small group of people, and since there is no financial gain from collecting most of the leaked personal data, the attackers appear to be looking to reveal the identity of users visiting certain websites.

Blasco said affected sites should fix the JSONP hijacking vulnerabilities by including a random value in all the JSONP requests, not using cookies to customise JSONP responses, not including user data in JSONP responses, or using cross-origin resource sharing (Cors) instead of JSONP.

He also recommends users to be vigilant and follow best practices when browsing the web, especially if they are worried about being tracked.

“For example, do not browse sensitive websites after logging into another website – even in a different tab or window. It is really important to understand the differences between anonymity and privacy. For instance, if you are using TOR or a VPN service that encrypts your communications, it is going to give you a certain level of privacy, but your anonymity is still at risk,” he wrote in a blog post.

Blasco said anonymity is being “non-identifiable” or un-trackable, but it is difficult to remain anonymous when using services where personal information has been revealed and then browsing other sites that can exploit vulnerabilities to access that personal information.

Read more on Privacy and data protection