[jfroma]

Why the attacker will run the content loaded as an script instead of just dumping what they get?

Edit: I think is the dataType: "script" part. From jquery docs:

> "script": Evaluates the response as JavaScript and returns it as plain text.

[dandelany]

They have no choice. If they used an AJAX call it could be blocked by (lack of) ACAO headers. The only way to hit a remote URL that cannot be blocked is by adding a <script href="//github..." /> tag to the URL, which means the client has no choice but to run the contents.

[IshKebab]

What about an img tag?

[dandelany]

Hmm, yes that would probably work... Not sure though.

[mckoss]

The JavaScript used is very amateurish with many outmoded features, poorly optimized. I couldn't believe they were loading jquery, for example. This looks to be the work of a script kiddie rather then a superpower's cyber warriors.

[zagnut8088]

I agree - but it might just be deflection. The Chinese could use the same argument to assert they bore no responsibility. Besides - everybody has jquery cached. Why create an ajax from scratch and add to the weight of the crap they are injecting into the script?

For quick and dirty I like it. Its not exactly long term or really destructive - but its kind of a cute and clever attack.

Github's response to pop an alert was priceless. Sure it probably annoyed the hell out of millions of Chinese people - and their government will probably claim Github attacked them --- but the truth will out... maybe.

Totalitarian regimes are shady as hell.

[slang800]

Or a script kiddie working for a superpower.