Tunisia plants country-wide keystroke logger on Facebook

Gmail and Yahoo! too

Malicious code injected into Tunisian versions of Facebook, Gmail, and Yahoo! stole login credentials of users critical of the North African nation's authoritarian government, according to security experts and news reports.

The rogue JavaScript, which was individually customized to steal passwords for each site, worked when users tried to login without availing themselves of the secure sockets layer protection designed to prevent man-in-the-middle attacks. It was found injected into Tunisian versions of Facebook, Gmail, and Yahoo! in late December, around the same time that protestors began demanding the ouster of Zine el-Abidine Ben Ali, the president who ruled the country from 1987 until his ouster 10 days ago.

Danny O'Brien, internet advocacy coordinator for the Committee to Protect Journalists, told The Register that the script was most likely planted using an internet censorship system that's long been in place to control which pages Tunisian citizens can view. Under this theory, people inside Tunisian borders were led to pages that were perfect facsimiles of the targeted sites except that they included about 40 extra lines that siphoned users' login credentials.

“Because it seems to be a perfect copy of the Facebook page, the first thing you assume is the Tunisian government has very cleverly injected the JavaScript as the data went through,” he said.

He said similar phishing attempts targeting Tunisian protestors date back to June, and possibly much earlier.

Although The Tech Herald reported on the rogue scripts three weeks ago, the revelations escaped wide notice until now. On Monday, members of the anti-Tunisian TAKRIZ network warned supporters to stop relying on its Facebook page (at facebook.com/takrizo) after discovering on Friday that all administrative access to it had been suspended.

This is consistent with Danny O'Brien's findings from earlier this month, which said that unknown parties have used the pilfered credentials “to delete Facebook groups, pages, and accounts, including Facebook pages administrated by Sofiene Chourabi, a reporter with Al-Tariq al-Jadid, and the account of local online video journalist Haythem El Mekki.”

Also on Monday, The Atlantic reported that members of Facebook's security team first became aware of the mass credential slurp in the days immediately following Christmas, when they began receiving similar reports of mass deletions of Tunisian dissidents' pages.

“After more than ten days of intensive investigation and study, Facebook's security team realized something very, very bad was going on,” The Atlantic article stated. “The country's internet service providers were running a malicious piece of code that was recording users' login information when they went to sites like Facebook. By January 5, it was clear that an entire country's worth of passwords were in the process of being stolen right in the midst of the greatest political upheaval in two decades.”

Facebook Chief Security Officer Joe Sullivan reportedly responded by programming his site to automatically establish an encrypted, HTTPS connection with anyone trying to view the site from inside Tunisia's borders.

“It wasn't a totally perfect solution,” The Altantic noted. “Most specifically, ISPs can force a downgrade of https to http, but Sullivan said that Facebook had not seen that happen.”

Facebook's response is problematic for another, more basic reason: Tunisia's government, with its control of The National Digital Certification Agency, already has the authority to generate valid SSL certificates. That gives it the ability to create HTTPS addresses for Facebook or any other website that it wants to impersonate.

Still, it's nice to see Facebook offering Tunisians a more reliable way to connect over encrypted channels. If only the site would only offer the rest of the world the same basic amenity. ®

Sponsored: Network DDoS protection