Who moved my broadband? A record of the discovery and solution process of HTTP hijacking

The hijacking we encounter in daily life is usually DNS hijacking, which can be solved by forcibly specifying a public DNS in the router. This article records the process of discovering HTTP hijacking on my home broadband. Compared with DNS hijacking, HTTP hijacking is more rogue and more difficult to solve.

Recently, when I was surfing the Internet at home, a prompt box "Open the link in Taobao Mobile?" often popped up on the iPhone Safari web page, as shown below:

As an iOS programmer, I naturally know that this is a web page calling the URL Scheme tbopen:// of the Taobao app. What is this for? Of course, it is a promotion link of Taobao customers. After clicking it, you can open Taobao to get coupons. If you place an order according to the prompt, the promoter can get a rebate. The question is why the web page sends such a request. Considering that the current website is http, it seems that it may have been hijacked. The following is a record of the troubleshooting process.

Who is hijacking?

Let me first talk about the environment. My home broadband is China Unicom 100M, the router is Asus AC86U, flashed with Merlin (only the virtual memory plug-in is enabled), the router dials directly, and due to installation conditions at the time, there was no optical modem at home, so the operator connected the phone directly to the switch on the first floor.

1. Is it an advertisement posted by the website itself?

Under Wi-Fi, every time I repeatedly visit the website in the screenshot using Safari Incognito mode, this prompt will still appear, with a probability of about 30%-40%. Switching to China Unicom 4G network and China Mobile 4G, it will not appear once. Switching to computer Safari and Chrome, it will not appear once either.

Conclusion: This only occurs in the Wi-Fi environment on the iPhone.

2. Is it caused by the Merlin firmware flashed on the router?

I rummaged through boxes and found the TPLink-WR700n I bought before, which is the small router shown in the picture below (it is simply a magical device, small and exquisite, and can switch between AP and Router modes at will). After setting the dial-up account and password, I replaced the ASUS and continued testing. I was shocked. The hijacking pop-up window was still there.

[[324678]]

Conclusion: There is nothing wrong with Merlin, it is the operator's fault.

How to hijack

Since the DNS has been set to 114 in Merlin, DNS hijacking is ruled out. It is confirmed that the problem is with the operator's access point. The next step is to see how it is hijacked. Here, Charles is used to capture the iPhone (there is no need to use the Wireshark killer yet). The specific settings are not described here. Randomly visit web pages in Baidu. When hijacking occurs, stop recording and start analyzing the logs. From the back to the front, find the request containing tbopen in the returned data. As expected, it is easy to find:

The original request is http://static.geetest.com/static/js/fullpage.8.9.3.js. After confirmation, https://www.geetest.com/ is a platform that provides security and risk control solutions in the industry. It is impossible to return data like tbopen. Copy the curl command of this http request in Charles and access it in Alibaba Cloud VPS. The real JS content is obtained.

 curl -H 'Host: static.geetest.com' -H 'Accept: */*' -H 'User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1' -H 'Accept-Language: zh-cn' -H 'Referer:<a href="http://pass.52pk.com/">http://pass.52pk.com/</a>' --compressed '<a href="http://static.geetest.com/static/js/fullpage.8.9.3.js">http://static.geetest.com/static/js/fullpage.8.9.3.js</a>'  

When replaying the curl command using your own Mac, there is still a high chance of being hijacked. Further, modify the User-Agent field of this request, remove the mobile phone identifier, keep only Safari, and continue to replay, and there will be no hijacking. At the same time, it is noted that after the hijacking occurs, a new identical js request is sent, and the url has an additional parameter utm_id=1024001, which will return the correct JS content. The purpose of doing this is probably to distinguish requests so that the real JS can return normally without affecting the loading of the web page. Otherwise, the hijacking may occur again after the hijacking, and the correct JS content cannot be loaded.

At this point, the entire hijacking process is roughly clear: China Unicom's access point will filter out http JS requests in mobile devices based on UA, and then return the hijacked pseudo-JS content with a certain probability, embedding the Taobao promotion link in it.

The hijacked JS content is as follows, which contains Taobao customer promotion links. I suggest that people related to Alimama solve this problem?

The code is relatively simple. Mount your own JS script on the page DOM, use setInterval to delay 20ms to call tbopen, and open the Taobao app to receive the coupon.

If you want to temporarily block it on your mobile phone, you can add a Header Rewrite rule in surge to modify the UA

 [Header Rewrite]
 ^http: //* header-replace User-Agent Safari/530  

complaint

I recorded two videos on my phone as evidence, and called Unicom customer service to complain. The customer service said they would send someone to check. A day later, they called back and said the maintenance personnel said it was a problem at the customer's home and could not be solved. ??? No one contacted me at all, and came to check. It doesn't matter. I told the customer service girl calmly that if you can't solve it, I can only complain to the higher level. There is no need to get angry with the customer service here. I complained to the operator first, and I didn't expect them to solve it immediately. I still had to go through the necessary procedures. I found the website of the Provincial Communications Administration and left a message to explain the situation. I received a return call before leaving get off work the next day. I sent all the videos I recorded as evidence. Not long after, the operator called back and said that they would arrange someone to bring the router to check and determine the problem. The guy who checked it also called back to understand the situation. He first asked if the DNS was reset to 114 (Merlin had already set it up). After no solution, he made an appointment to come and check. The agreed inspection date came, and I kept retrying the test, but it was still hijacked. Around 10:30 in the morning, the router recorded that the network was reconnected. After that, I tested it again and there was no hijacking. However, the inspector did not come to check on me, and it seemed that the access point was quietly changed. So far, a complaint with no end was resolved in an unclear way.

Reflection

Throughout the entire process, users have little influence and difficulty in providing evidence in front of network operators. Operators can modify settings at any time to shut down hijacking. The Communications Administration designated operators to conduct self-inspections, not to designate third parties to conduct inspections. It is unknown whether the operator's "I will check myself" is the work of individual internal employees or the operator itself. The network security service provider Jiyan did not use the https protocol to transmit the services it provided, which is particularly backward in the booming https era of the whole people in the past two years. What's more, it provides anti-fraud and other services. In the end, its own services were hijacked. As a victim and scapegoat, it is also unfair.

Finally, webmasters who have not yet adopted https should do so as soon as possible.