If you are using an older SMART wifi, FYI. I've discovered proof that China is spying on us. (Steps follow).

I was editing my mom's website when I found a random script attached to the front page.

Of course I didn't write this, so I checked it out. It was a funky code that monitors whether you are logged in certain websites... seems to be domains in China!

So I checked these domains and yep, Chinese domains!

All non-SSL sites accessed via SMART WIFI will have a high chance to attach this funky script on the front page. Tracing the traffic sees it goes to CHINA before landing back in PLDT. What the heck SMART?

This is the Laguna Provincial website. No SSL encryption, and the funky script appears.

Gotta love it when even Malacanang isn't secure, and snooped by CHINA. Enjoy that folks.

Anyway to summarize the things wrong with this picture:
a. Many sites (especially Government websites) are not SSL-secure
b. Our telco is routing our traffic to CHINA
c. A random tracking code is inserted into your non-secure site while going through CHINA

Meanwhile, just ensure your sites are SSL-secured (the code can't understand encrypted sites to self-insert), and if you have older SMART wifi get rid of it. For me, back to fixing my mom's website.

More laughs. Guess who's gonna be monitoring the upcoming elections?

So who watches the Police? You know who.

Navy? Yep.

DICT. Cool.

Found a reference on the funky code. Huawei modems/routers inject this on any website.
superuser.com/questions/1411…

I just googled "huawei router injection" and a whole bungle of horror just spewed out of the search results. We all use this stuff either directly or indirectly via our home routers, wifi, and cellsites.

Those who want to help trace/investigate please DM me. I can send the script and screenshots.

Tally so far:
Any network/device on SSL sites - negative.
For non-SSL sites:
Globe, Nexlogic, Converge - negative.
Using Smart on non-SSL sites:
Oppo A37F, Oppo CPH1801, Xiaomi Double Mi - positive.
LG Stylus 2 - negative.
Will test more devices as I encounter them.

Btw, the authorities and media have approached me. So thanks for the RTs and comments folks. Will publicly share anything that comes out of this (even if it's just a mistake).

Ok the other way around:
Using Globe on non-SSL sites:
Oppo A37F, Oppo CPH1801, Xiaomi Double Mi - negative.
LG Stylus 2 - negative.

So Globe seems to be negative on these devices. Only the China phones are positive on Smart.

Hi folks - since this is now a legitimate news item, and after some new information just to set record straight:
- 10.xx.xx.xx IP addresses aren't China. They are internal to some network (presumably Smart/Sun)
- The code is inserted from these servers

- The code (base.js) contains links to people.com.cn and caijing.com.cn - which are CHINA domains
- The code is only inserted if the site is non-SSL
- This seems to only happen using China-phones using Smart/Sun sims.

- Any non-SSL website is vulnerable
- The websites we tested (DICT, COMELEC, PNP, NAVY, LAGUNA, MALACANANG) - were all NON-SSL secured

So for me it just boils down to these 3 questions:
Why is a weird code getting inserted on non-SSL websites from the network?
Why does it only happen on (some) Smart wifi using certain (China) phones?
Why are our many gov websites non-SSL?

Update as of now:
- I've been advised by some colleagues from the industry that the telco concerned has taken down the offending server/s
- At least one government website (Laguna) has installed SSL encryption
- Am still testing using my Smart SIM but it is currently down

Either way, it seems the right people have heard about it and taken some action. Whatever the final outcome of this story will be at least let me state that I have no personal agenda or axe to grind against said telco or the government.

I've simply reported what I saw, and provided evidence as of that moment. I did not wish for this thread to be viral, so it wasn't a publicity stunt. I hope it has raised awareness about cybersecurity and the need for more vigilance.

To the certain telco executive na may parinig pa kuno eto lang masasabi ko: this happened on your watch and everyone knows it. Enjoy you evening brother. Para sa bansa.

The Official Word:
news.abs-cbn.com/news/03/29/19/…

Official Word (Video). Action starts at 1:00.

24 hours later: It seems at least 3 threads have popped up regarding this. Reddit, Twitter, and FB. The first 2 are surprisingly clean and troll-free (somehow the trolls self-delete or block themselves out here). The FB thread is something else.

As you guys have gathered, I have no FB account. I quit that damned thing in 2012 due to worries about privacy. The trolls stay there though and few have had the guts to come here and talk to me directly. The FB folks are also hiding behind codenames and parinig posts.

Meanwhile here I am in full view, full name, picture, and dispensing info/data to whoever will need it. The Reddit thread is also gathering a small group of techies, who are trying to understand and address the issue. I cannot thank you enough for the positive reinforcement.

The Twitter and Reddit threads are examples of how we try to solve issues. Proactively. So gain thanks to everyone. I'm still currently working with a few people to figure out what exactly is happening here and how to prevent your data from being taken by unauthorized parties.

Since I can't react on FB, I'll just post my thoughts on some of the pettiness I have been advised from there, in particular the PHILIPPINE IT SECURITY FORUM - which seems to be a noisy group. The thread is here: facebook.com/groups/1238625…

Accusation 1: Private IP issue - bobo sya hindi yan China
- Yes it's already established. But the fact is these IPs are part of the route of the traffic. The endpoint is public. I have packet capture and traceroute to prove this.

Accusation 2: Compromised system nya
- That was the first thing we checked. So we tested on multiple laptops. The script is not attached at client side, it is attached at server side - along the way of the traffic. Malware on laptop was also tested. Negative.

Accusation 3: He is not an expert
- I admitted that I am not a Cybersecurity professional but I have collectively 20+ years in data analytics, data warehousing, networks data centers and web development apart from having a stint in Surveillance and Fraud for a major bank.

Accusation 4: He needs to learn basic coding practices
- I have been coding since I was 6, and fluent in at least 5 dev languages (although I only use 3 nowadays). I also write Python and Javascript for a living. I teach coding actually - although I'm always open to learn.

So noisy brats, I'm just here in Twitter in case you need to clarify anything. Nothing changes. The facts stay the same.

New one: Accusation 5: The posts are edited. Fake News!
I think this referring to why in my screenshots the offending script is conveniently highlighted in red font in all of the sites.
Answer: Use Firefox when viewing source. It's easier to review than Chrome.

Also - those who have seen the script know that this is precisely the position that the code looks for to insert itself (i.e. after </head>). Not because I faked it.
Try harder IT Wannabees. Sayang yung sipag ko dito.

After 48 hours: The cool techies at reddit have been challenging each other about the script. One user has done a line by line annotation (which is impressive) here:
reddit.com/r/Philippines/…

Updated findings are:
- If you are using the network+device mentioned, your traffic goes to the said offending server
- If you are surfing a non-SSL site, the server is able to read and insert the offending script into the site
- The script loads once the site loads

In addition:
- The script gathers high-level information about what you are doing - time surfed and the site you are viewing and sends this back to the offending server
- The script terminates only if you are on the 2 China websites mentioned

Just allay public fears a bit:
- No info seems to be directly sent to the Chinese websites, the script just monitors if you are there
- No other changes are made to the user's system. So there's seems to be no "infection" to your device worry about.

Precautions:
- Data is still being gathered from you and sent back. So if you are browsing non-SSL be very careful about data you transmit. Avoid non-SSL sites if possible

There's ongoing investigation being done privately and by the authorities. Nothing final yet but there are a few emerging reasons - will update everyone once confirmed. So far everything posted reflects my knowledge as of this time.

Btw, I also want to acknowledge that some members of the FB group I criticized have approached me personally to ask for info. Some of them have provided valuable insights. I did not mean to target your group folks and I appreciate that you are helping.

Now at the 72 hour mark since I spotted the strange script. No major changes since the last update, but I thought of finally posting some additional supporting information to back up existing claims. This can also be educational to the non-techies still reading this (if any).

First - traceroute. If I access Malacanang's website, which is hosted in DOST, that traffic would travel through several servers, which include PLDT, Pacific, DOST, and of course the "Unknown" IPs (10.x.x.x) where our script hails from. The traceroute here shows this clearly.

Now more on the 10.x.x.x servers - which our IT Security friends (read: Trolls) have quickly pointed out are private. While the IP range might be reserved for internal use, I was in fact able to access them from the internet. Attached are ping stats to show this.

Next, the offending server 10.165.197.14, apart from the ping shot in the previous post, here's a the actual script accessible from a URL. This means that this server is on a public endpoint (or at least accessible using the affected SIM). So hope no more "private IP blah blah".

Now about that offending server, what's the big deal anyway? To show that this server is receiving information from the user, we took a packet capture (network logs) to show what that server is doing. Pay attention to the "GET" rows. The last row is clearly sending data.

As evidenced by the GET log, the server is receiving timestamp, website, and the server that is receiving (there might be tons of these servers doing this). It's basically a log of internet activity from the user. This was also caused by the part of the offending script here:

Now there's the matter of the monitoring behavior, here is the condition in the script that checks if you are on any of the 2 Chinese websites. Connecting the dots, if you are NOT on these sites, the script will send your data back to the offending server.

The above should at least clarify that a) I am not a moron about networks as claimed by my troll-fans and b) that there IS indeed a monitoring and data gathering going on. Some more details are being confirmed - more about the INTENT behind all this business. Stay tuned.

GMA News:
gmanetwork.com/news/scitech/t…

State of the Nation: (go to -52mins or 4mins)

96 hours later: A couple of media outlets have already contacted me about the story. You can go back up this thread to view the videos and articles. I promised I'd share the possible reasons WHY this insertion is happening, and this is the best we can do without SMART's word.

Regarding the base.js, a redditor spotted the exact same code floating around. It was posted here around 3 years ago with reference to Zong 4G. Zong is one of the leading telcos in Pakistan. gist.github.com/asadm/5dce96d6…

So digging further, a member of the IT Security group shared that Zong had launched this special toolbar, that allowed postpaid subscribers to monitor their usage. And this toolbar would pop up in front of whatever website you were browsing. Reference: tribune.com.pk/story/1120071/…

Another redditor mentioned that Sun Cellular happens to have the same feature on its postpaid subscriber base. It's documented here. According to the info, the toolbar will not appear on SSL secured websites. suncellular.com.ph/broadband/sun-…

A few years ago, there was a similar functionality in Sun that was triggered by an older type of script: scg.js. It also uses a script injection function and here is a Chinese (translated) reference. Look familiar? translate.google.com/translate?dept…

Finally to connect the dots, my smart sim is a legacy one that used to be a sun postpaid sim. And so the current hypothesis is that this script injection that monitors your browsing is a defunct toolbar service that Sun/Smart previously had.

So there you have it, it's not yet foolproof, and have to wait for SMART to officially comment, but the the possible conclusion is that SMART (or SUN) had a product that inserted code into the website you were surfing and checks if you were on these chinese sites.

I am not privy to the telco's products, or sure if this was intentional on their part. Still the fact remains that code insertion is unknown to the user, and checks and transmits data without asking. It still doesn't explain why it works only on Chinese phones though.

Finally, the issue with lack of SSL encryption is a broader one that is beyond the telcos. If you were witness to the hacking episode from that other group today, it just shows that lack of security is so prevalent especially in government websites.

By the way, a number of you were asking who the blind item of the mysterious telco executive was. Since I think we are close to the conclusion of this fiasco, I might as well reveal it. So Mr. Redoble, what say you? Bokya ba ako talaga?

The excerpt of the GMA video, in case you want to share: