Hijacking user accounts (harvesting Facebook passwords and usernames)

The Committee to Protect Journalists said its own research found that “the [state-run] Tunisian Internet Agency is harvesting passwords and usernames of bloggers, reporters, political activists and protesters by injecting hidden JavaScript” into many popular site login pages.

This extended to sites like Facebook, where the main login page mysteriously had 10 additional lines of code inserted when it arrived at Tunisian computers. (Such code injection is technically simple using various pieces of deep-packet inspection gear, and it was made easier by the fact that the Tunisian government would periodically block secure HTTPS connections.)

That code grabbed the username and password, embedded them into a bogus Facebook URL, and then attempted to load the nonexistent page. It’s unclear why this was done, though speculation is that the hack was a simple way to grab passwords. The Tunisian Internet Agency could simply log all attempts to hit the bogus Facebook link without the liability of listing one of its servers in the code itself.

CPJ noted in a separate report that “unknown parties have subsequently logged onto these sites using these stolen credentials, and used them to delete Facebook groups, pages and accounts, including Facebook pages administrated by Sofiene Chourabi, a reporter with Al-Tariq al-Jadid, and the account of local online video journalist Haythem El Mekki. Local bloggers have told CPJ that their accounts and pictures of recent protests have been deleted or otherwise compromised.”

Al-Jazeera interviewed an anonymous source who had crafted a Greasemonkey script that could strip this additional code from login pages. On January 6, it had already been installed over 1,500 times.

On January 11, the Electronic Frontier Foundation publicized the Greasemonkey script but also asked Facebook in particular to consider a few technical changes:

Make Facebook logins default to HTTPS, if only in Tunisia, where accounts are especially vulnerable at this time. Google and Yahoo logins already default to HTTPS.

Consider allowing pseudonymous accounts for users in authoritarian regimes, where political speech under your real name is dangerous and potentially deadly. Many Tunisian activists are unable to reinstate Facebook accounts that have been erased by the Tunisian government because they were not using their real names.

RELATED ARTICLESExplain
Technology: Oppressor or liberator?
Country Case Studies
Revolutions in the Arab world
Tunisia
Internet freedom in Tunisia?
Intensified censorship and control during the recent crisis
Hijacking user accounts (harvesting Facebook passwords and usernames)
Finding bloggers, pirates
Intensified blocking of dissident websites
Use of Facebook for propaganda
Graph of this discussion
Enter the title of your article


Enter a short (max 500 characters) summation of your article
Enter the main body of your article
Lock
+Comments (0)
+Citations (3)
+About
Enter comment

Select article text to quote
welcome text

First name   Last name 

Email

Skip