Tunisian keylogger

All timestamps are based on your local time of:

Posted by: stak
Tags:
Posted on: 2011-01-25 18:22:12

Interesting article about how Tunisia started keylogging passwords for anybody logging in to Facebook through a Tunisian ISP. The article praises Facebook for implementing countermeasures, but really Facebook is just stupid for not using SSL to begin with. Especially given the existence of FireSheep that lets you trivially hijack unencrypted browsing sessions on unsecured Wi-Fi networks.

The article doesn't go into the technical details, but according to this page Tunisia was getting their ISPs to inject a script on the login page to steal the password before submitting the login form. So even though the form submit itself was encrypted, they were still able to grab the password. Facebook's response was to change the page with the login form to be https so that the ISPs wouldn't be able to inject the script. It stopped the Tunisian government, but not for technical reasons. Facebook is still vulnerable to exactly the same problem, because an ISP can simply rewrite the pages pointing to the login page to use http links instead of https. In fact, if you access any insecure page on the domain, the ISP can pretty much rewrite all the links to keep you insecure. The average user wouldn't know that all their data was being snatched.

(On a related note, this sort of attack is exactly why my site forces you to type in the https URL directly into the address bar).

[ Add a new comment ]

	Tunisian keylogger
Home Blog Snippets About All timestamps are based on your local time of:	Posted by: stak Tags: Posted on: 2011-01-25 18:22:12 Interesting article about how Tunisia started keylogging passwords for anybody logging in to Facebook through a Tunisian ISP. The article praises Facebook for implementing countermeasures, but really Facebook is just stupid for not using SSL to begin with. Especially given the existence of FireSheep that lets you trivially hijack unencrypted browsing sessions on unsecured Wi-Fi networks. The article doesn't go into the technical details, but according to this page Tunisia was getting their ISPs to inject a script on the login page to steal the password before submitting the login form. So even though the form submit itself was encrypted, they were still able to grab the password. Facebook's response was to change the page with the login form to be https so that the ISPs wouldn't be able to inject the script. It stopped the Tunisian government, but not for technical reasons. Facebook is still vulnerable to exactly the same problem, because an ISP can simply rewrite the pages pointing to the login page to use http links instead of https. In fact, if you access any insecure page on the domain, the ISP can pretty much rewrite all the links to keep you insecure. The average user wouldn't know that all their data was being snatched. (On a related note, this sort of attack is exactly why my site forces you to type in the https URL directly into the address bar). [ Add a new comment ]

	(c) Kartikaya Gupta, 2004-2023. User comments owned by their respective posters. All rights reserved. You are accessing this website via IPv4. Consider upgrading to IPv6!