

The code injected to steal passwords in Tunisia - abraham
http://blog.jgc.org/2011/01/code-injected-to-steal-passwords-in.html

======
mustpax
Unfortunately just encrypting the login page would not protect user accounts
from Tunisia's ISP. The ISP can just sniff your session cookie and hijack your
session instead. They won't be able to change your password but they can read
and write all your other data.

The only real protection here is to go full SSL and not forget to set the SSL
only flag on session cookies. Even then, you only have to wait till Tunisia
buys a forged certificate for Facebook.

~~~
eli
Or they just redirect all HTTPS requests back to HTTP. How many people would
notice?

~~~
marshray
Presumably a Tunisan blogger may be "paranoid" enough to notice.

When it's your your password on the line (and possibly your ass in jail) data
security is more than aggregate statistics.

~~~
eli
Err, well, I'm pretty sure they could have logged in via HTTPS all along by
just manually typing in <http://www.facebook.com>

~~~
marshray
If the URL starts with "http:", the attacker gets to decide which parts (if
any) are going to be sent HTTPS.

~~~
eli
Sorry, either either the autolinker or I screwed up that post. My point was
that if people cared about security, they could have been visting the facebook
login page by manually typing HTTPS in the first place.

~~~
marshray
True.

I don't use FB, but someone on Slashdot was saying it likes to reply with
every link going to http anyway. Based on my experience with Twitter and other
sites, this sounds very plausible.

------
mrkurt
This is why mixed content warnings from browsers are an oh-so-important
annoyance.

~~~
maukdaddy
Also why the entire login page needs to be served via SSL.

~~~
nodata
and surely the entire site, if you want to avoid session hijacking.

(and after that, all the government needs to do is require an ssl signing
authority to be used by all tunisian banks, and it's back in!)

~~~
blinkingled
There is no such thing as Security - only the illusion, that too of Selective,
Government Controlled Security :)

------
marshray
Isn't it time for Godaddy to take the password box off their unencrypted home
page now?

~~~
jedsmith
Based on anecdotes, it sounds like GoDaddy has bigger problems.

~~~
kragen
GoDaddy's customers have the problems. GoDaddy itself is raking in cash hand
over fist.

~~~
marshray
It's the users of the customers of GoDaddy that bear much of the risk.

------
thisisblurry
Similar HN post (2.5 weeks ago): <http://news.ycombinator.com/item?id=2079223>

------
tmachinecharmer
It is very easy to get someones password if they have checked "remember me"
and gone out for a coffee.

By very easy I mean it requires almost no talent.

Long time back (even)I wrote a script to grab password and username using DOM
and JavaScript.

~~~
MichaelGG
If you mean using the browser or OS password mechanism, then sure, if you're
logged in as the user you can access their secrets.

But this doesn't should not be true for "remember me" cookies. Those just need
some identifier.

At any rate, you still need "talent": to know where the person is, when
they're going for coffee, ability to access their machine without bystanders
asking questions, etc.

~~~
marshray
If you control any firewall or router along the way you can inject iframes
which retrieve any url you like and run script in the same-origin context.
Except for "https only" sites, but note that Microsoft helpfully provides the
government of Tunisia with a trusted root CA in their products. Try
<https://www.certification.tn/> . I wonder if it's a code-signing cert?

~~~
ZoFreX
> Microsoft helpfully provides the government of Tunisia with a trusted root
> CA in their products

Isn't this rather huge news? Why did they do this sort of downgrading hackery
when they could do a more elegant (and slightly more transparent) man in the
middle?

~~~
marshray
A) It's better to avoid using your capability even if you have it.

B) Probably a lot of users prefer Mozilla, though it may defer to the system
store on Windows anyway, I'm not sure.

C) For the same reasons it's a pain for FB to use https everywhere, it's a
pain for Tunisia to set up SSL interception on their outbound connections.
There are certainly off-the-shelf boxes which can do it though.

------
barmstrong
I might have missed this, but how was the javascript injected in the first
place? Did they have a URL param being displayed (unescaped) on the page?

~~~
adn37
Attacker sits at network / ISP level, and can therefore inject any (js, ...)
payload in non-https web pages, on the fly.

------
jessedhillon
I don't see how Javascript is to blame here, which is I think what the author
is implying with the "game over" link to slides about JS insecurity.

This attack only worked because the attacker could subvert the same-domain
origin policy, by posting usernames and passwords to a page at the
facebook.com domain (but which was routed to an attacker's host at a lower
level.) The security failure happened at a lower layer than where Javascript
security would be responsible.

------
anonymous246
"... was stealing usernames and passwords from common sites like Google Mail
and Facebook".

Gmail always opens with SSL for me. Didn't Google make this the default after
Chinagate?

~~~
gcb
If you're the ISP, can't you fake ssl certs all the way down to the root?

sorry if i'm being ignorant

~~~
die_sekte
SSL certificates usually come with the OS or the browser. AFAIK there's no
easy way for the ISP to add certificates.

~~~
duskwuff
Unless they are a government entity which is recognized as a certificate
authority, or which can exert influence over one.

