Unpatched Vulnerability Compromises Chinese Security

[Image: Marc Oh!]

VPNs and Tor, a network that protects anonymity by routing traffic through a series of servers, are considered two of the most trusted methods of digital privacy protection. Regardless, recent findings reveal that hackers in China successfully bypassed the security provided by these services.

Hackers—believed to be the Chinese government—carried out a “watering hole attack” against visitors to websites trafficked by Chinese journalists and Uighurs, a Muslim ethnic minority: they planted code in websites that would in turn plant itself in visitors’ web browsers. Tor and VPN users suffered the same casualties as other internet users. As long as visitors were also logged into Baidu, Taobao or one of China’s 13 other major web services, hackers gained access to their names, addresses, sex, birth dates, email addresses, phone numbers and internet cookies. 

This situation, however, could have easily been avoided. At fault is JSNOP, an unpatched vulnerability in China’s most popular web services, or more accurately, the powers that have allowed JSNOP to continue. JSNOP was made public in 2013—when it was previously used to target Uighur websites—but to this day has not been fixed. It is hard to imagine a reason to keep JSNOP in place unless pressure existed to keep it there.

The New York Times quoted AlienVault security researcher Jaime Blasco’s response to JSNOP’s continued existence: “The equivalent would be if law enforcement was able to exploit a serious vulnerability in Facebook to deanonymize users of Tor and VPNs in the United States. You would assume Facebook would fix that pretty fast.”

This latest hack shows the extent to which the GreatFirewall of China plays by its own rules. Most hackers are motivated by money, but as Blasco pointed out, “There’s no financial gain from targeting these sites.” Instead, China targets citizens daring to embrace their rights to freedomof expression and religion. These are the very people that VPNs were designed for, yet no amount of technology has proven to withstand a complex, targeted attack from this government.

VPN and Tor users outside of China are likely happy to be so. However, if we are willing to accept that the JSNOP vulnerability is just a backdoor by another name, the dividing line between China and its neighbors begins to blur. Governments in the United States and the United Kingdom continue to push for backdoor access to encrypted technology; let the latest Chinese hack serve as a reminder of just how dangerous such access could be.