Written by Nick Heer.

China’s Man-on-the-Side Attack on GitHub

Netresec’s Erik Hjelmvik:

In short, this is how this Man-on-the-Side attack is carried out:

  1. An innocent user is browsing the internet from outside China.
  2. One website the user visits loads a javascript from a server in China, for example the Badiu Analytics script that often is used by web admins to track visitor statistics (much like Google Analytics).
  3. The web browser’s request for the Baidu javascript is detected by the Chinese passive infrastructure.
  4. A fake response is sent out from within China instead of the actual Baidu Analytics script. This fake response is a malicious javascript that tells the user’s browser to continuously reload two specific pages on GitHub.com.

However, not all users loading javascripts from inside China are attacked in this way. Our analysis shows that only about 1% of the requests for the Baidu Analytics script are receiving the malicious javascript as response. So in 99% of the cases everything behaves just like normal.

The attack has ended, for now, but that doesn’t make this any less frightening. If you’re a big-ish website that hosts views contrary to the Chinese government’s liking, your website could get torpedoed. Or you could get caught in the crossfire.

By the way, the two targeted repos were greatfire and cn-nytimes. Both are very clever workarounds for the Great Firewall.