A recent study conducted by researchers from the Harbin Institute of Technology reveals significant security issues plaguing Chinese government websites, leaving them vulnerable to malicious attacks. The study, which examined nearly 14,000 government websites across China, highlights numerous vulnerabilities and dependencies that compromise the digital efficacy and safety of these systems.
Among the key findings, over a quarter of the examined domain names lacked effective DNS configuration, raising concerns about their reliability and accessibility. The study also highlighted a notable dependence on a handful of DNS service providers, creating potential single points of failure in the network infrastructure.
The researchers discovered that many government websites relied on outdated versions of the jQuery JavaScript library, leaving them exposed to remote attacks due to vulnerabilities like CVE-2020-23064, which has been known for years.
The study also identified issues with HTTPS adoption and IPv6 integration, which are crucial for secure and modern internet communications. Additionally, unsigned DNSSEC signatures pointed to potential weaknesses in domain name security.
Through a Zed Attack Proxy (ZAP) analysis, the researchers found widespread issues with security headers, including X-Content-Type-Options, Content Security Policy, and Anti-CSRF tokens. Many websites were also vulnerable to attacks like clickjacking and cross-site request forgery due to improper configurations.
The study highlights the urgent need for real-time monitoring, malicious activity detection, and regular updates of third-party libraries to improve the security of Chinese government websites. It also emphasizes the importance of diversifying network nodes to enhance system resilience and performance.
The findings are particularly notable as the Chinese government has repeatedly emphasized the need to improve digital services and cybersecurity. The study serves as a wake-up call, underscoring the need for stringent vetting and regular security updates to safeguard critical government infrastructure.