

Chinese Hackers Circumvent Popular Web Privacy Tools - braythwayt
http://www.nytimes.com/2015/06/13/technology/chinese-hackers-circumvent-popular-web-privacy-tools.html
The NYT is reporting that a JSONP vulnerability reported in 2013 but not fixed by its major internet companies is being exploited to track browsing and steal identifying information from users logged into Chinese web sites like Alibaba. The tracking appears to target journalists, dissidents, and it&#x27;s ethinic minorities.
======
jjar
Ok so VPN's and Tor aren't compromised. It's China's web services servers that
are. Please refrain from making clickbait-y styled topic titles.

~~~
mfoy_
Although the method of the attack didn't directly break Tor/VPN, the nature of
it has compromised confidence in those technologies.

What good is using Tor or a VPN if I can't be sure any web page I load will
compromise me? Suddenly every single link becomes a potential land mine... is
the web server compromised? Is it safe?

You could argue that, of course, loading a malicious web page will do
malicious things. But in this case, the malicious code is compromising all
further web activity as well from the sounds of it.

~~~
the8472
AIUI the issue only occurs when you're browsing through tor with a browser
profile that also contains logins to chinese websites linked to your identity.

This is why you shouldn't run your regular browser session through TOR for
critical work and use the tor browser bundle instead, with a separate profile,
with a as-paranoid-as-possible configuration (minimal cross-site requests! use
µMatrix, not just noscript) if you really want to information leakage.

Tor itself can only do so much, it doesn't magically prevent your browser from
telling the world that you're person X.

~~~
mo
Tor Browser protects against these sorts of attacks very well. Just don't use
Tor with a regular browser.
[https://twitter.com/torproject/status/610542145305464832](https://twitter.com/torproject/status/610542145305464832)

------
lucb1e
TL;DR: Tor and VPN are safe. What they did is hack some big Chinese websites
(or force them to be vulnerable or something). Then when a Tor or VPN user
visits one of these websites they can be unmasked somehow. It's unclear to me
what malicious code is used, whether you need to be logged into one of these
websites, whether it can then unmask you when you visit other (not one of the
hacked) websites, etc.

Another point of interest in the article might be the fact that they blocked
VPN protocols to prevent people from using them. And, in case you missed it,
the Chinese government tried to knock Github offline by hijacking a Chinese
website's traffic (Baidu).

\---

This is a really terrible article. It doesn't really explain how it works,
claims a government cracked things that are uncracked, claims it's the Chinese
government while that's only assumed (based on "who else would go to such
extensive lengths" mentioned by someone), and misnames things. For example:

> The vulnerability, known as JSONP

Uhm, no. This is JSONP:

> JSONP [is] a communication technique used in JavaScript

(From Wikipedia.)

------
jgrahamc
I'm going to assume that the "JSONP vulnerability" is actually Rosetta Flash:
[https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-
fla...](https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/)

~~~
majke
Isn't flash disabled by default in tor browser bundle (TBB)? I assume most
reasonable Tor users rely on TBB.

------
hellbanner
"What made the attacks particularly serious, Mr. Blasco said, ___was that as
long as the victims were logged into China’s 15 top web services — including
major portals like Baidu, Taobao, QQ, Sina, Sohu, Ctrip and RenRen — the
attackers could identify them and siphon off their personal digital
information, even if their victims were logged into Tor or a VPN._ __

They did this with the aid of a particularly serious vulnerability that 15 web
services in China apparently never patched. "

Asteriks for emphasis. No shit, sherlock.

------
bakhy
What does any of this mean? I really can't figure it out. I thought it was
standard advice to never, NEVER log into anything which can identify you while
you're using Tor (which is why the best way to do it is from Linux
distributions on a stick). And the talk about Facebook fixing this "gaping
whole" in their security... If someone could clarify all of this, or maybe
provide a better link, I would be grateful.

------
ricw
The interesting take away here is that Chinese web services deliberately
delay/don't patch their services to accommodate Chinese spoofing. In this case
the JSONP vulnerability from 2013 allows them to hack a users computer,
thereby compromising any data on that computer.

Neither tor nor Vpn is compromised.

------
dang
This is a good article, but the HN guidelines ask you not to editorialize
titles. Submitted title was "China has now compromised VPNs and Tor".

(If this was just the NYT changing its own title as it is wont to do, then
ignore the above. But it doesn't sound like an NYT title.)

------
facepalm
Sounds like incorrect use of Tor? I suppose while using it you still must take
care to not send stuff along that could compromise you, like your Facebook
login cookie?

------
iokanuon
It's considered insecure to browse the web with TOR while having Javascript
enabled. This is not news.

------
ufo
Virtual methods and functions behave very differently from an extensibility
point of view. I much prefer using named parameters or replacing the bool with
an enum.

[http://c2.com/cgi/wiki?ExpressionProblem](http://c2.com/cgi/wiki?ExpressionProblem)

