The Tunisian Internet Agency (Agence tunisienne d’Internet or ATI) is being blamed for the presence of injected JavaScript that captures usernames and passwords. The code has been discovered on login pages for Gmail, Yahoo, and Facebook, and said to be the reason for the recent rash of account hijackings reported by Tunisian protesters.
ATI is run by the Tunisian Ministry of Communications. They supply all of the privately held Tunisian ISPs, making them the main source of Internet access in the country. They’ve been under scrutiny for years, due to the fact that they make use of their authority to regulate the entire national network. Last April, ATI earned international attention by blocking access to sites such as Flickr, YouTube, and Vimeo.
According to Reporters Without Borders, authorities claim to target only pornographic or terrorist websites. “However, censorship applies above all to political opposition, independent news, and human rights websites.”
“When an Internet user attempts to access a prohibited website, the following automatic error message appears: “Error 404: page not found,” without displaying the familiar “Error 403” more typical of a blocked site…This strategy equates to a disguised form of censorship.”
As for the JavaScript itself, The Tech Herald has seen examples of the embedded script during live surfing sessions with sources in Tunisia, and in posted source code made available to the Web. The source for the GMail injection is here, the Yahoo injection is here, and Facebook is here.
Four different experts consulted by The Tech Herald independently confirmed our thoughts; the embedded code is siphoning off login credentials.
On Twitter, security researcher Gerry Kavanagh and Errata Security CTO David Maynor told us that you can tell the code is capturing login information by how it references the login element for the form.
“Suffice to say, the code is definitely doing something surreptitious,” Kavanagh noted.
Daniel Crowley, Technical Specialist for Core Security, and Rapid7’s Josh Abraham, broke the code down further. Crowley explained that the JavaScript is customized for each site’s login form. It will pull the username and password, and encode it with a weak crypto algorithm.
The newly encrypted data is placed into the URL, and a randomly generated five character key is added. The randomly generated key is meaningless, but it is assumed that it’s there to add a false sense of legitimacy to the URL.
The random characters and encrypted user information are delivered in the form of a GET request to a non working URL. In the Gmail example, you see this URL listed as http://www.google.com/wo0dh3ad. Abraham noted that the encryption makes it easy to capture usernames and passwords that would include special characters such as ‘%’ or ‘/’.
Considering that the backbone of the Tunisian Internet is full of state run filters and firewalls designed to block access, configuring one to log the GET commands with the harvested data would be trivial. But is this a government sponsored action?
The likelihood that a group of criminals compromised the entire Tunisian infrastructure is virtually nonexistent. Code planting on this scale could only originate form an ISP. With their history of holding an iron grip on the Internet, ATI is the logical source of the information harvesting.
There is an upside however, as the embedded JavaScript only appears when one of the sites is accessed with HTTP instead of HTTPS. In each test case, we were able to confirm that Gmail and Yahoo were only compromised when HTTP was used. For Facebook on the other hand, the default is access is HTTP, so users in Tunisia will need to visit the HTTPS address manually.
Another interesting note is that it appears the embedded code has targeted Tunisian users for several months. Slim Amamou, of the Global Voices Advocacy blog, reported his findings on the code last July, and at the time, ATI was blocking Google’s HTTPS port, forcing users to default to HTTP.
The information surrounding the embedded JavaScript came to our attention thanks to a user on the IRC server where supporters for Anonymous’ Operation: Tunisia gathered to show support for Tunisian protesters. When word spread of embedded code and account hijackings, Anonymous offered Tunisian users help via Userscripts.org, with a browser add-on that strips the added JavaScript code.
The ATI website has been offline for more than a day. The outage started after Anonymous launched Operation: Tunisia. Our coverage on their actions and the problems in Tunisia is here.