Tunisia plants country-wide keystroke logger on Facebook
Gmail and Yahoo! too
Malicious code injected into Tunisian versions of Facebook, Gmail, and Yahoo! stole login credentials of users critical of the North African nation's authoritarian government, according to security experts and news reports.
Danny O'Brien, internet advocacy coordinator for the Committee to Protect Journalists, told The Register that the script was most likely planted using an internet censorship system that's long been in place to control which pages Tunisian citizens can view. Under this theory, people inside Tunisian borders were led to pages that were perfect facsimiles of the targeted sites except that they included about 40 extra lines that siphoned users' login credentials.
He said similar phishing attempts targeting Tunisian protestors date back to June, and possibly much earlier.
Although The Tech Herald reported on the rogue scripts three weeks ago, the revelations escaped wide notice until now. On Monday, members of the anti-Tunisian TAKRIZ network warned supporters to stop relying on its Facebook page (at facebook.com/takrizo) after discovering on Friday that all administrative access to it had been suspended.
This is consistent with Danny O'Brien's findings from earlier this month, which said that unknown parties have used the pilfered credentials “to delete Facebook groups, pages, and accounts, including Facebook pages administrated by Sofiene Chourabi, a reporter with Al-Tariq al-Jadid, and the account of local online video journalist Haythem El Mekki.”
Also on Monday, The Atlantic reported that members of Facebook's security team first became aware of the mass credential slurp in the days immediately following Christmas, when they began receiving similar reports of mass deletions of Tunisian dissidents' pages.
“After more than ten days of intensive investigation and study, Facebook's security team realized something very, very bad was going on,” The Atlantic article stated. “The country's internet service providers were running a malicious piece of code that was recording users' login information when they went to sites like Facebook. By January 5, it was clear that an entire country's worth of passwords were in the process of being stolen right in the midst of the greatest political upheaval in two decades.”
Facebook Chief Security Officer Joe Sullivan reportedly responded by programming his site to automatically establish an encrypted, HTTPS connection with anyone trying to view the site from inside Tunisia's borders.
“It wasn't a totally perfect solution,” The Altantic noted. “Most specifically, ISPs can force a downgrade of https to http, but Sullivan said that Facebook had not seen that happen.”
Facebook's response is problematic for another, more basic reason: Tunisia's government, with its control of The National Digital Certification Agency, already has the authority to generate valid SSL certificates. That gives it the ability to create HTTPS addresses for Facebook or any other website that it wants to impersonate.
Still, it's nice to see Facebook offering Tunisians a more reliable way to connect over encrypted channels. If only the site would only offer the rest of the world the same basic amenity. ®
Sponsored: The Nuts and Bolts of Ransomware in 2016