[chengsun]

This was worded misleadingly. This is indeed a DDoS: code has been injected to load the Github pages in the background using XHR without the user's knowledge. The host page itself is not redirected (or visibly affected in any way[1]).

Furthermore, only people outside of China are affected by this -- Chinese citizens don't have this code injected.

[1]: Actually there is a mistake in the injected code that causes the result of the XHR request to be interpreted as JavaScript, and then executed. Hence GitHub has tried to mitigate the attack by replying 'alert("WARNING: malicious javascript detected on this domain")' to notify the user that this is happening.

[TazeTSchnitzel]

> Actually there is a mistake in the injected code that causes the result of the XHR request to be interpreted as JavaScript, and then executed

That's not a mistake. GitHub, like 99.99% of the Internet, doesn't allow cross-origin XHR for their pages (that's a security vulnerability). So they have to use <script> which doesn't follow the Same Origin Policy.

Though that's a bit silly, given they could've also used <img> which wouldn't be vulnerable to XSS.

[chengsun]

Ah, that clears things up. Thanks for the info.

[pbhjpbhj]

Thanks for the clarifier.

So the text I quoted should say something like [with appropriate expansion and fact checking]:

"Requests from other countries to Baidu's CDN in China are intercepted by the government firewall - the returned web pages load content from GitHub or NYT that is hidden from the user. Each affected Baidu user outside China's browser sends content requests to those content suppliers whenever they follow a link in Baidu's search results. With Baidu's immense popularity this is causing a DDoS of the content suppliers servers preventing genuine user's browser requests from being handled."

What's the actual injected code? Presumably one can get it by requesting a link on a Baidu SERP?