[orf]

According to this[1] post GitHub (or someone else in between) started changing the responses to alert("Malicious Script Detected")[2]. That's an awesome counterattack - this stops the script from looping indefinitely and annoys the users.

1. http://insight-labs.org/?p=1682

2. https://github.com/greatfire/

[dengnan]

For github, this is a smart move.

But, really, you can hardly negotiate with Chinese government. I'm pretty sure that they will deny this attack and re-emphasize their so-called Internet policy.

If I were github, instead of a warning message, I would redirect the workload to some Chinese government's website and let them suffer what they've created. Let's face it, they are waging a war on the Internet first.

Edit: Disclaimer: I know that my post is quite biased, especially this one. I'm not suggesting that people should wage a war to Chinese government. Please take my words just as a (biased?) sample from an ordinary Chinese citizen who is really tired of the government's censorship.

[dagw]

Let's face it, they are waging a war on the Internet first.

The two most important aspects in war are casus belli and plausible deniability. China has the latter and github lacks the former. Thus github would lose by default in any 'war' against the Chinese government.

[tedunangst]

How would github redirect the load?

[ninjaoxygen]

http://en.wikipedia.org/wiki/HTTP_301

[eli]

I think you are underestimating the volume of traffic. Simple generating that many 301s would be an issue. And... where would you redirect to?

[kevinchen]

Generating a 301 is certainly less work than rendering the entire user's profile page.

[spartas]

Generating a 301 is likely more work. Profile pages are simple database hits, and they may be dynamically or even statically cached (for popular pages). You're probably severely underestimating how much traffic China can produce [1].

1. http://furbo.org/2015/01/22/fear-china/

[imaginenore]

Instead of that "script detected" they should convert the whole page to something the Chinese government really hates, like Tiananmen Square massacre.

[minot]

I hope they do. I hope they regret it happened. It should never have happened.

[amalantony06]

And DDoS the end sites?

[JasuM]

If the message had some information about the Tiananmen Square massacre or some other censored information, the attack would probably stop. At least temporarily.

[analyst74]

This is genius idea, Using GFW to deflect GFW attacks!

[x1957]

They are using the IP outside China...

[NoCowLevel]

Very interesting defense. It seems that it works because the attacking AJAX call is done with content dataType 'script'. I don't think it'll be too hard for the attacker to fix that.

[teknologist]

It's either that or call a jsonp endpoint, which could still throw up the alert. CORS protects standard AJAX from requesting anything outside the current domain.

[dheera]

So Baidu is using eval() instead of JSON.parse()? What kind of engineers did they hire?!

[dandelany]

They're using neither. It's a cross-domain call so Github could block a regular AJAX GET by just not including ACAO headers. So they are using $.get with dataType 'script'. This is basically like JSONP without the callback - it adds a script tag with the remote URL to the page which means the client has no choice but to run the contents.

[talnet]

Even I use JSON.parse() without knowing its benefit :3

[Havvy]

JSON.parse takes a string of "JSON" and turns it into a JS object. It doesn't evaluate the string in a JS context at all, which is what eval() does.

Some people have used eval() to do JSON parsing because JSON is a subset of JS, but if the user has any control into making malformed JSON, they could do so to create JS that can do anything the page can from the context of another user, otherwise known as Cross-Site-Scripting (XSS).

[afarrell]

I wonder what percentage of Baidu users read English rather than just Chinese.

[kej]

Wikipedia suggests the English-reading Chinese population is in the hundreds of millions (much higher than the English-speaking Chinese population), and I would guess that group overlaps quite a bit with Baidu users.

[jfroma]

Why the attacker will run the content loaded as an script instead of just dumping what they get?

Edit: I think is the dataType: "script" part. From jquery docs:

> "script": Evaluates the response as JavaScript and returns it as plain text.

[dandelany]

They have no choice. If they used an AJAX call it could be blocked by (lack of) ACAO headers. The only way to hit a remote URL that cannot be blocked is by adding a <script href="//github..." /> tag to the URL, which means the client has no choice but to run the contents.

[IshKebab]

What about an img tag?

[dandelany]

Hmm, yes that would probably work... Not sure though.

[mckoss]

The JavaScript used is very amateurish with many outmoded features, poorly optimized. I couldn't believe they were loading jquery, for example. This looks to be the work of a script kiddie rather then a superpower's cyber warriors.

[zagnut8088]

I agree - but it might just be deflection. The Chinese could use the same argument to assert they bore no responsibility. Besides - everybody has jquery cached. Why create an ajax from scratch and add to the weight of the crap they are injecting into the script?

For quick and dirty I like it. Its not exactly long term or really destructive - but its kind of a cute and clever attack.

Github's response to pop an alert was priceless. Sure it probably annoyed the hell out of millions of Chinese people - and their government will probably claim Github attacked them --- but the truth will out... maybe.

Totalitarian regimes are shady as hell.

[slang800]

Or a script kiddie working for a superpower.

[jle]

i feel like this alert should be in chinese for greatest effect