Jump to content

Tunisian Gov Is Primary Suspect in Mass Theft of Gmail, Yahoo and Facebook Logins


Recommended Posts

The Tunisian government is suspected of injecting password stealing JavaScript code into the login pages of popular websites via its Internet agency that controls the entire country's Internet gateways.

According to reports from Internet users in Tunisia, a country engulfed in violent street riots recently, the login pages of Gmail, Yahoo, and Facebook contain rogue code.

This code is only present when those websites are accessed from within the country and a lot of protesters have reported their email and Facebook accounts being hijacked recently.

All private Internet service providers in Tunisia go out through the infrastructure provided and maintained by the Tunisian Internet Agency (Agence tunisienne d'Internet).

ATI is run by the Ministry of Communications and has the ability to block websites deemed inappropriate by the government. At one time, these included Flickr, YouTube, and Vimeo.

The Tech Herald reports that several security experts have analyzed the source code of Facebook, Yahoo and Gmail as seen in Tunisia and the conclusion is unanimous - there's something surreptitious going on.

The rogue code is customized for each of the websites and its purpose is to hijack login credentials when they are inputted into login forms.

The data is encrypted with a weak algorithm and submitted via GET request to a non-existent URL. For example, Gmail logins are sent to an URL of the form hxxp://www.google.com/wo0dh3ad?q=[five random digits][encrypted username][encrypted password].

This URL does not exist in reality, but since ATI controls the country's perimeter routers and firewalls, it would have no problem logging these bogus requests.

There are reports that the mass account hijackings have been going on since July 2010. Gmail's HTTPS site version was also blocked so that users would be forced to use the less secure HTTP variant, which is vulnerable to man-in-the-middle attacks.

Firefox and Chrome users can protect themselves by installing a special user script that strips out the rogue code from these websites, however, there is no guarantee that it won't be modified in the future.


Link to comment
Share on other sites

  • Views 671
  • Created
  • Last Reply


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...