Browser surveillance kit discovered for dozens of Chinese websites


Users who set their language settings in their browser to Chinese and who visited popular Chinese websites in the past few months were at risk of being spied on. An IT security expert with the pseudonym Imp0rtp3 has found a “Tetris” framework for a large-scale web attack with which security gaps on 58 popular portals could be exploited. 57 of them are in Chinese. The only affected English language offering is the New York Times website.

The attackers could according to the researcher’s analysis also misuse legitimate browser functions with the instrument in order to collect keystrokes from the user, a variety of operating system details, location data and even recordings of the target person’s face via an installed webcam. More conspicuous, however, were the exploits aimed at vulnerabilities in third-party web portals: These usually also triggered a notification request via the browser.

Imp0rtp3 came across the spy tool on two news blogs with a Chinese readership. One page, which is still regularly updated, was directed at activities by the Chinese government against Taiwan and Hong Kong. On the other portal, written in Swedish, general atrocities of the communist regime were discussed until 2016. Readers were initially “welcomed” by the first of the two Tetris components in the form of Jetriz. This component has collected and read out the basic information about the visitor’s browser.

In the case of a presumed Chinese user, the second component “Swid” loaded 15 different plugins in the form of JavaScript files into the victim’s browser in order to carry out various actions. Eight of them used what is known as JSON hijackingto open connections to popular websites and to retrieve public data about the user there. Passwords or authentication cookies did not fall into the hands of the attackers. But they could collect information such as usernames, phone numbers or real names. Imp0rtp3 recommends the browser extension as protection NoScript or surfing in private browser mode.


To home page


Leave a Reply

Your email address will not be published. Required fields are marked *