Chinese Hackers Circumvent Popular Web Privacy Tools (nytimes.com)
The NYT is reporting that a JSONP vulnerability reported in 2013 but not fixed by its major internet companies is being exploited to track browsing and steal identifying information from users logged into Chinese web sites like Alibaba. The tracking appears to target journalists, dissidents, and it's ethinic minorities.
19 comments
[ 0.26 ms ] story [ 82.7 ms ] threadThey did this with the aid of a particularly serious vulnerability that 15 web services in China apparently never patched."
Asteriks for emphasis. No shit, sherlock.
What good is using Tor or a VPN if I can't be sure any web page I load will compromise me? Suddenly every single link becomes a potential land mine... is the web server compromised? Is it safe?
You could argue that, of course, loading a malicious web page will do malicious things. But in this case, the malicious code is compromising all further web activity as well from the sounds of it.
This is why you shouldn't run your regular browser session through TOR for critical work and use the tor browser bundle instead, with a separate profile, with a as-paranoid-as-possible configuration (minimal cross-site requests! use µMatrix, not just noscript) if you really want to information leakage.
Tor itself can only do so much, it doesn't magically prevent your browser from telling the world that you're person X.
HN title reads: China has now compromised VPNs and Tor
I only saw your question by chance. To reliably get a response, please email hn@ycombinator.com.
Neither tor nor Vpn is compromised.
Another point of interest in the article might be the fact that they blocked VPN protocols to prevent people from using them. And, in case you missed it, the Chinese government tried to knock Github offline by hijacking a Chinese website's traffic (Baidu).
---
This is a really terrible article. It doesn't really explain how it works, claims a government cracked things that are uncracked, claims it's the Chinese government while that's only assumed (based on "who else would go to such extensive lengths" mentioned by someone), and misnames things. For example:
> The vulnerability, known as JSONP
Uhm, no. This is JSONP:
> JSONP [is] a communication technique used in JavaScript
(From Wikipedia.)
http://c2.com/cgi/wiki?ExpressionProblem
(If this was just the NYT changing its own title as it is wont to do, then ignore the above. But it doesn't sound like an NYT title.)