
Why Baidu Has Been Hijacked to Attack GitHub - RyanMcGreal
https://archive.today/KtgpS
======
TazeTSchnitzel
Hmm, I wonder if this could backfire. If it's an <iframe>, couldn't GitHub
insert code that framebusts? If it's some other mechanism, couldn't they block
by referrer? If it's CORS, couldn't GitHub deny CORS requests? If it's a
<script> tag, couldn't GitHub do some nasty XSS?

Edit: ooh, take a look at the more detailed look from insight-labs:
[http://insight-labs.org/?p=1682](http://insight-labs.org/?p=1682)

It's XMLHttpRequest ($.ajax), but with dataType: "script". Looking at the
jQuery docs
([http://api.jquery.com/jquery.ajax/](http://api.jquery.com/jquery.ajax/)):

 _" script": Evaluates the response as JavaScript and returns it as plain
text. Disables caching by appending a query string parameter, "_=[TIMESTAMP]",
to the URL unless the cache option is set to true. Note: This will turn POSTs
into GETs for remote-domain requests._

Oh dear. If GitHub can detect this, GitHub can basically XSS all sites using
Baidu's analytics.

Edit 2: Oh, the insight-labs article says the attack has stopped.

~~~
Pirate-of-SV
That's exactly what they did! At the moment of this writing they are sending
back:

    
    
        alert("WARNING: malicious javascript detected on this domain")
    

when you're trying to reach:
[https://github.com/greatfire/](https://github.com/greatfire/) or
[https://github.com/cn-nytimes/](https://github.com/cn-nytimes/) That's why
other people have started to notice it (as the article describes).

Timeline of the attack looks something like this:

1\. The Chinese firewall hijacks requests to
[http://hm.baidu.com/h.js](http://hm.baidu.com/h.js) and sends back a script
that attacks GH instead.

2\. Github notices that a huge amount of people are trying to reach
[https://github.com/greatfire/](https://github.com/greatfire/) and
[https://github.com/cn-nytimes/](https://github.com/cn-nytimes/)

3\. GH figures out what's happening and starts replying with the alert
javascript snippet.

4\. Users are now getting noticed by the alert every time their browser runs
the hijacked javascript.

5\. The person that wrote this article writes this article after investigating
what the alert message is about.

~~~
Fuxy
If I were Github I would redirect the attacker back at one of their own
resources.

A attack reflection of sort.

Edit: You're technically not attacking you're reflecting if the attack stops
there's nothing to reflect.

Just like in martial arts you don't just take a beating you defend and return
the opponents attack back at them. Seems fair to me.

~~~
alimbada
Who should they "reflect" the attack back at? Baidu, who seem to be a victim
of HTTP hijacking in this case? Or the Chinese government? If the latter, then
where exactly do you focus the counter-attack?

~~~
briandear
Baidu == Chinese Government

~~~
true_religion
I don't know. If I were a private company, I'd go out of my way to avoid
antagonizing nation-state level governments.

------
TazeTSchnitzel
Does anyone have a mirror of the original article? "Error establishing a
database connection"

Edit: Google cached it here:
[http://webcache.googleusercontent.com/search?q=cache:CeVJaTq...](http://webcache.googleusercontent.com/search?q=cache:CeVJaTqfuZkJ:https://iyouport.com/archives/25775+&cd=1&hl=en&ct=clnk)

Edit 2: Here's an archive.today of Google's cache:
[https://archive.today/KtgpS](https://archive.today/KtgpS)

~~~
dang
Thanks. Since your second link works while
[http://translate.google.ca/translate?hl=en&sl=zh-
CN&u=https:...](http://translate.google.ca/translate?hl=en&sl=zh-
CN&u=https://iyouport.com/archives/25775&prev=search) doesn't, and neither is
an original source anyhow, we've swapped the URLs.

------
RA_Fisher
Assuming this is the Chinese government, what's their end game here? They must
believe that GitHub will bow to their will and remove Greatfire or block it
from China. Permanently? That seems incredibly naive. Also, have they not
considered the Streisand effect? Also, assuming they see Baidu as effectively
a state asset, why poison that brand for such a temporary gain? It doesn't
make sense.

~~~
michaelt

      They must believe that GitHub will bow to their will 
      [...] That seems incredibly naive.
    

Plenty of technology companies would. Of course, they would call it "complying
with local laws in all countries in which we operate".

The only way to find out if Github is such a company is a few months of
successful attacks.

~~~
RA_Fisher
That's true. I remember being incredibly disappointed in Google when they
agreed to censor search results for China. Here's to hoping that GitHub is
willing to stand up to this bully.

~~~
warfangle
Censor but supply notice that they were censoring. And when China hacked into
gmail, they left the country rather than continue to comply with their laws.

------
Animats
The US government should prohibit US companies from complying with censorship
demands from China. It already does something like that to prevent US
companies from complying with the Arab League boycott of Israel.[1]

[1]
[https://www.bis.doc.gov/index.php/enforcement/oac#whatsprohi...](https://www.bis.doc.gov/index.php/enforcement/oac#whatsprohibited)

------
seanherron
Very interesting to look at the original content of
[https://github.com/greatfire/](https://github.com/greatfire/) and
[https://github.com/cn-nytimes](https://github.com/cn-nytimes). One appears to
be a collection of resources for proxying around the Great Firewall [1] and
the other has a number of clones of the New York Times translated in Mandarin
[2][3].

[1]:
[http://webcache.googleusercontent.com/search?q=cache:X_4LmyL...](http://webcache.googleusercontent.com/search?q=cache:X_4LmyL2jBsJ:https://github.com/greatfire+&cd=1&hl=en&ct=clnk&gl=us)

[2]: [https://github.com/cn-nytimes/mirrors](https://github.com/cn-
nytimes/mirrors) [3]:
[https://dtl1al4e74u07.cloudfront.net/](https://dtl1al4e74u07.cloudfront.net/)

~~~
allochthon
I didn't realize until now that part of the NYT's strategy in having a
Mandarin version may be due in part to it's being blocked in China -- a reply
to China's censors, of sorts.

------
akx
I think GitHub should have added a more descriptive error message (since they
control it thanks to how the attack vector works).

    
    
        alert(
          "The site you are visiting contains malicious JavaScript.\n" +
          "Your computer is currently being used to attack Github.com."
        )
    

or something...

~~~
Rezo
The only thing the average web user would take away from such a popup is that
github.com is annoying or spying on them, and then proceed to bombard github
with messages to knock it off (reminds me of when a blog temporarily became
the #1 search term for "facebook login", oh the hate that blog received for
"breaking my Facebooks")

~~~
TazeTSchnitzel
The average web user _has no idea GitHub is behind the popup_. You need to be
a web expert and look at the Network tab to know this.

~~~
Rezo
OP suggested adding "github.com" to the popup's message. That would be a Bad
Idea.

~~~
TazeTSchnitzel
Oh, right, silly me for not reading the context.

------
ElijahLynn
Everone keeps saying "Chinese Governement", this has no accountability. The
actual person in charge is Ji Xinping. Start naming names people.

[https://www.google.com/search?q=xi%20jinping](https://www.google.com/search?q=xi%20jinping)

~~~
kinghajj
From what I've read about Chinese leadership, it's incorrect to label Xi as
"in charge", at least if you mean in a dictatorial fashion. The CCP seems to
run by the consensus of top party leaders. Xi certainly has more
authority/sway than the rest, but I doubt he's making all of the decisions
alone.

~~~
yeukhon
Like every organization there is a need to maintain good relationship with
others. This means you have to make compromise and make deal. This means
people aren't always 100% in charge. You can choose to do things against the
will of some powerful enemy, and you will face the consequence. So Xi can make
all the decisions here. He can say "I want this to be done" and his officials
will carry out. At this very moment, Xi is absolutely in charge of everything,
especially given his popularity.

------
grandalf
This is a very clever attack. I wonder if the same attack can be used on other
sites or if it exploits something about Github.

Github's data is difficult to cache and many pages load piecemeal using
turbolinks which itself creates lots of un-cacheable requests (cacheable only
until someone pushes a new commit).

So it would appear to be next to impossible to stop a distributed attack.

~~~
TazeTSchnitzel
> I wonder if the same attack can be used on other sites or if it exploits
> something about Github.

It doesn't exploit anything GitHub-specific! The way it's done is applicable
to any site. The reason is that it uses the <script> loophole around the Same
Origin Policy (<script> can be loaded cross-domain, thanks Eich...). They
basically just inject this every two seconds:

    
    
      <script src="http://github.com/greatfire/"></script>
    

The browser will request that page expecting a script. And it'll get HTML, but
that's not valid JS and just ignore it, but the DDOS is successful.

However, this also makes all sites with the malicious JS vulnerable to an XSS
attack _by GitHub_ , like GitHub is currently doing. If you visit that URL,
you get this:

    
    
        alert("WARNING: malicious javascript detected on this domain")
    

Though I think the same trick could be done with, say, <img> or <style>, and
those wouldn't allow XSS (though <style> could fuck with the page, certainly).
Sloppy coding, Chinese Government employee...

~~~
jfroma
I was wondering if you can prevent this by looking at the "Accept" header in
the request but it seems accept is " _/_ " for scripts. I'd expect the
browsers rather to send "application/javascript".

Then the answer from my server will be 400 because I don't have a javascript
representation of this url.

~~~
TazeTSchnitzel
Well, you're still spammed with requests.

~~~
jfroma
Yes, but it is not the same if I can reply with 400 directly without further
inspection.

I imagine github can do this at the reverse proxy level, instead of doing 20
queries to mysql and overload the ruby application.

~~~
TazeTSchnitzel
Well, GitHub is already returning a special response for those URLs.

------
dtech
This actually only says _how_ GitHub was attacked, which was already clear
this morning. It doesn't say why.

~~~
aikah
> It appears to be an attempt to pressure Github, a non-news organization, to
> censor content that China objects to.

------
yincrash
At what point will the US stop tolerating Chinese attacks on US companies?

~~~
TazeTSchnitzel
What do you mean by "stop tolerating"? Declare war?

~~~
yincrash
There are other diplomatic avenues besides declaring war.

~~~
TazeTSchnitzel
What, sanctions? The US is totally reliant on China for manufacturing. You'd
grind the West, and China, to a halt.

~~~
yincrash
We can start with the US publicly blaming China for the attacks. Public
consciousness does a lot by itself.

------
eggnet
GitHub should cut China off from all services until the attack stops. It is
clearly something the Chinese government doesn't want, or they'd just block
GitHub in the Great Firewall themselves.

~~~
r00fus
You seem to think China (or the folks running the great firewall) would be
unhappy losing GitHub. I don't think they'd care as long as those two repos
were effectively invisible to users.

~~~
logfromblammo
Redirect all visitors subjected to the GFC to one of those two repositories.
China loses all of GitHub _except_ the projects it hates the most.

~~~
Sanddancer
The childish part of me says to alter the redirect code to be a bit
more...shocking. I think the attack would stop a lot more quickly if baidu
users were subjected to, say, goatse or 2g1c.

------
smcl
Is google translate from Chinese (Mandarin presumably) always this good? I'm
pretty shocked by how coherent the resulting article is.

~~~
dheera
In this case the original article is in English.
[https://iyouport.com/archives/25775](https://iyouport.com/archives/25775) Not
sure why OP put it through Google Translate ...

~~~
erjiang
Google Translate has actually mangled the (English) text a bit by going from
English to English.

------
bstream
Here is the original article: [https://thenanfang.com/why-baidu-was-hijacked-
to-attack-gith...](https://thenanfang.com/why-baidu-was-hijacked-to-attack-
github/) (the one on iyouport links to this one)

------
roylez
If I understand correctly, there is almost no way to stop this attack because
it uses client side JavaScript code. If Baidu doesn't remove this malicious js
from its http response, github will continue to suffer.

~~~
Pirate-of-SV
Baidu is not doing anything wrong. The HTTP requests/responses are hijacked.

Baidu could make a switch to only support HTTPS though. That would require a
more elaborate attack.

------
itsmrwave
In hindsight, GitHub moving away from GitHub Pages from the github.com domain
to github.io makes this whole situation less severe. Imagine all the GitHub-
Pages-powered sites that would have been down at the moment.

[https://github.com/blog/1452-new-github-pages-domain-
github-...](https://github.com/blog/1452-new-github-pages-domain-github-io)

Obviously the link above might not work at the moment.

~~~
itsmrwave
I think I spoke too soon ... latest update:

"19:23 UTC The on-going DDoS attack now includes GitHub Pages. We are working
to mitigate any service disruption."

[https://status.github.com/messages](https://status.github.com/messages)

~~~
saurik
It would be exceptionally epic if you didn't "speak too soon" but instead
"gave them the idea" ;P.

------
invisible
Why wouldn't they make the pages in question serve window.top.location =
"somewhere";?

~~~
chwahoo
Their solution stops the reloads for each browser and has the benefit of
alerting the user that something's wrong, without hammering "somewhere".

~~~
invisible
But if users just click OK multiple times it still means more requests (since
it was happening every 2secs).

------
Dorian-Marie
They seem to push the DDoS from multiple fronts, for instance this repo has
100k random numbers commits:
[https://github.com/greatfire/z](https://github.com/greatfire/z)

~~~
TazeTSchnitzel
I don't think that's DDoS. It's probably the authors of the project frequently
changing it to evade Chinese censorship.

------
LLWM
Because they can't just seize the servers the way the US does.

------
brador
Would it be possible to use this and the CSS link color hack as a way to see
which users had visited those Github URLs?

Could that be the real aim here?

------
undefined0
That's why websites should stop including javascript from third party sources.
For my analytics, I use liveinternet.ru because it runs the javascript locally
on my website but passes the browser information via an image embed.
Liveinternet has no ability to execute malicious code and yet I can still use
them as a fully functioning analytics.

~~~
Sanddancer
How much more difficult is using liveinternet.ru, out of curiosity? Google
analytics got popular because all you had to do was paste a single line to the
bottom of your site and google would handle the rest.

~~~
undefined0
It's just as easy, it's a small snippet of code you paste at the bottom of
your site. However, the site doesn't have a pretty design like Google but
that's why I prefer it - it's simple and works with NoScript.

------
zhng
Is the best way to currently prevent this is via full ssl?

Additionally, how can a site like Amazon.com run non-ssl protected pages and
prevent mitm-ing? (e.g.
[http://www.amazon.com/dp/B00TYBBNAW/](http://www.amazon.com/dp/B00TYBBNAW/)
doesn't redirect to https, but only when ordering, etc.)

------
dujiulun2006
Chinese govt is telling the world with this attack that: (1) GFW can interfere
with incoming traffic. (2) GFW can f __* with people all around the world. (3)
You can 't block a Chinese cyber attack simply by cutting off Chinese users.
(4) The Chinese govt is a d __*head.

~~~
aaronem
Well, no.

The Chinese government is telling the world with this attack that, if you
choose to interfere with Chinese sovereignty by means of the Internet, or to
enable those who would do that, then there’s a cost.

Note the way the attack is targeted. It’s not just an indiscriminate DDoS of
Github, although that’s been the effect — instead, they’re aiming specifically
at two repos whose content, being designed and built with the aim of
circumventing the technical means by which are implemented a significant goal
of China's domestic policy, enables no more or less than a direct attack on
the sovereignty of the Chinese government.

To use that content is to say: "You may not run your country in the fashion
you choose, because it does not suit me that you should do so."

To host that content is to say: "In this matter, we take the side of those
attacking the sovereignty of the Chinese government, by making it easy for
them to share and improve the tools with which they do so."

What you're seeing, then, is the quite reasonable response of the Chinese
government to these statements. Yes, it's annoying for those of us who use
Github, and no doubt it's much worse than merely annoying for those who
administer Github. _That is the point._ Github is being encouraged to consider
how much it's worth to them to maintain the stance they've implicitly taken in
this matter. I'm looking forward to seeing how they respond.

~~~
dujiulun2006
Wow. That was just a jokey comment about how angry I was about the Chinese
govt.

As one of the billion people who live inside the Intranet "protected" by the
GFW, I guess I can say I'm quite aware about how and why this happened. Let's
start from the beginning.

For those who host things Chinese govt doesn't like, it usually just block the
website altogether (Twitter, FB, and recently Google). But it had tried to
block Github, twice. Each time there is a _huge_ response from the Chinese
webizens (mainly programmers) calling to unblock it.

Another way to block certain content from a website is to filter by keyword
(like Wikipedia). But GH is encrypted so that's a no. The govt even tried to
use some fake SSL certificates to MITM it. So some "smart" guys exploited this
feature and created the repo greatfire/wiki and things like this.

Then some evil guys from GFW thought of this way, directing the attack at
these user accounts, to warn GH to remove these accounts.

What I don't agree with you is the word "reasonable" (and the "no"). First,
it's _never_ "reasonable" to DDoS attack a website. Second, if you can't block
the content, you have a choice to block the website and take the bitter from
every single webizen against you. Finally, I believe it's the website owner's
choice to choose who / what they want to use their website. Since GH is a U.S.
company (I guess), it doesn't _have_ to listen to a sh*t from the Chinese
govt.

~~~
westiseast
I totally agree with you - the Chinese government has some right to protect
their sovereignty, but if github or the American way of life is so offensive,
then block the website and tools outright. I live here too, and it's kind of
offensive when (speaking generally now) Chinese people want cherry-picked
access to Western technology, science, design, creativity etc. but then
aggressively reject the culture that produced them.

------
iso8859-1
Why did GitHub not just put a Bitcoin miner or a BOINC client instead of the
alert? The Chinese is not going to care about the warning anyway, it would be
more educational to peg their CPU to 100% usage and make some spare change
while you're at it.

~~~
tthayer
This DDoS is mainly punishing people who are using VPN to skirt The Great
Firewall (and people who use GitHub). What is the point of 'punishing' people
who aren't doing this on purpose?

------
borgia
That's a fairly neat attack, to be fair to them. I don't see why Github, upon
receiving these requests, wouldn't just do the same back to China and
absolutely hammer some of their resources in return?

~~~
Igglyboo
Github generates no where near the amount of traffic that Baidu does.

~~~
MikeTV
While Github is receiving a fair percentage of Baidu's traffic, though...

~~~
borgia
>While Github is receiving a fair percentage of Baidu's traffic, though...

Yeah that's my thinking on it. They're being handed traffic, or more correctly
having it thrown at them maliciously, which they could in turn redirect back
at some point in the Chinese infrastructure.

~~~
frankchn
Who do they reflect the attack to though? Baidu? They might not even know this
is happening (well they probably do now, but not sure what they can do). The
GFW infrastructure itself certainly isn't publicly addressable.

------
lehenbauer
They could just mirror all the git repos minus what they find objectionable.
github isn't immune to pressure. They would probably like to sell a lot of
github enterprise and whatnot in China.

------
echohtp
Its not lab grade testing, but there is the old standby
[https://dancesafe.org/](https://dancesafe.org/)

------
weberc2
I'm bored of Chinese hackers attacking Western companies... Let's mix it up a
bit and hear about some Western hackers attacking Chinese organizations.

~~~
SEJeff
Well there is plenty to read about western governments hacking chinese
organizations. Google edward snowden china for starters :)

------
pbhjpbhj
>" _Requests to Baidu’s content data network are being intercepted and sending
back some javascript code instead of the original requested file. The
javascript code instructs visitors browsers to request the Github pages of
anti-censorship group Greatfire andthe Chinese language edition of the New
York Times._ "

I must be misunderstanding - is there a salient piece of info missing?

It makes no sense for the Chinese government to attempt to foil censor
bypassing by sending all users of Baidu a link to a project on GitHub that
enable censor bypassing.

As an outcome is to inform all affected Baidu users of bypass tools and a non-
government controlled newspaper this looks more likely to be a rogue element
to me.

It doesn't even look like what I'd call DDoS - sending genuine users to your
site who might be interested in your product, isn't that an unpaid affiliate
scheme?!?

~~~
chengsun
This was worded misleadingly. This is indeed a DDoS: code has been injected to
load the Github pages in the background using XHR without the user's
knowledge. The host page itself is not redirected (or visibly affected in any
way[1]).

Furthermore, only people _outside_ of China are affected by this -- Chinese
citizens don't have this code injected.

[1]: Actually there is a mistake in the injected code that causes the result
of the XHR request to be interpreted as JavaScript, and then executed. Hence
GitHub has tried to mitigate the attack by replying 'alert("WARNING: malicious
javascript detected on this domain")' to notify the user that this is
happening.

~~~
TazeTSchnitzel
> Actually there is a mistake in the injected code that causes the result of
> the XHR request to be interpreted as JavaScript, and then executed

That's not a mistake. GitHub, like 99.99% of the Internet, doesn't allow
cross-origin XHR for their pages (that's a security vulnerability). So they
have to use _< script>_ which doesn't follow the Same Origin Policy.

Though that's a bit silly, given they could've also used _< img>_ which
wouldn't be vulnerable to XSS.

~~~
chengsun
Ah, that clears things up. Thanks for the info.

