Tunisian Government Allegedly Hacking Facebook, Gmail Accounts of Dissidents and Journalists

A strange bit of JavaScript has found its way onto Tunisian Internet users' internet login screens. Some are now in jail in a country known for torture. But they've been adopted by an unlikely ally: Anonymous.

Tuninia road signsMassive riots and protests have rocked Tunisia this past month. After a 26-year-old street vendor named Mohammed Bouazizi attempted to kill himself by self-immolation (he survived and later died of his burns), hundreds of thousands took to the North African nation's streets. The protesters complain of unemployment, economic woes, and an omnipresent dictatorship. Tunisia's government has stumbled upon a new method of combating the protesters: hacking into their social media accounts.

According to a report by the Committee to Protect Journalists, the Tunisian government appears to be breaking into the Facebook, Google, and Yahoo accounts of dissidents and journalists. Hackers with unusual levels of access to Tunisia's state-control network infrastructure have managed to gain access to Facebook accounts belonging to individuals such as journalists Sofiene Chourabi of al-Tariq al-Jadid (New Path; a newspaper affiliated with the opposition Movement Ettajdid party) and independent video journalist Haythem El Mekki, while gaining the passwords of others. Hack targets found that Facebook groups they founded were deleted, as were pictures of protests. In CPJ's words, "Their accounts and pictures of recent protests have been deleted or otherwise compromised.” Blogs hosted on Blogspot and elsewhere are also being targeted. Here is an excerpt from a post by Lina Ben Mhenni of the A Tunisian Girl blog:

Well, I can understand ... No I can't understand that some stupid person has hacked my e-mail then, my Facebook account. This stupid person has also deleted some pages in which I am an administrator. Pages like that of 7ellblog (launch a blog) which has been largely promoted even by official media , the page of the Tunisian singer Amel Mathlouthi , Reading Books is Better than Staring at others (yes they hate reading and culture uin my country), the Tunisian blogosphere, and may be a page against censorship ' la censure nuit à l 'image de mon pays' (I don't have the confirmation yet) and many other pages were deleted. What happened is so shameful because the internet police is again confirming its stupidity and useless stubbornness. Sofiene Chourabi and Azyz Amami are experiencing the same problem now. They have been hacked.

Already, in-depth information is surfacing on how the hacks were committed. It appears that the Agence tunisienne d'Internet, a government agency which supervises all of Tunisia's ISPs, or someone with access to the agency committed them. Tunisian ISPs are running a Java script that siphons off login credentials from users of Facebook, Yahoo and Gmail. According to the Tech Herald's Steve Ragan:

Daniel Crowley, Technical Specialist for Core Security, and Rapid7’s Josh Abraham, broke the code down further. Crowley explained that the JavaScript is customized for each site’s login form. It will pull the username and password, and encode it with a weak crypto algorithm. The newly encrypted data is placed into the URL, and a randomly generated five character key is added. The randomly generated key is meaningless, but it is assumed that it’s there to add a false sense of legitimacy to the URL. The random characters and encrypted user information are delivered in the form of a GET request to a non working URL.

The code only targeted users accessing HTTP sites instead of HTTPS, which appears to be why Facebook was so heavily ravaged by the hack plan. Facebook users default to using HTTP to access the site.

Much of this information has been released to the public by the quasi-4Chan allied Anonymous group, which has launched an anti-Tunisian government hacker campaign called Operation: Tunisia.

Amamou was taken into police custody this past week after authorities apparently found his location via Foursquare. His current whereabouts are unknown.

The Agence tunisienne d'Internet has long been one of the most censorship-happy government agencies in all of Africa. Tunisia's net firewalls and intricate IP tracking mechanisms have been compared to China's, while popular sites like YouTube and DailyMotion were banned due to hosting videos alleging human rights abuses in Tunisian prisons. In one of the WikiLeaks cables on Tunisia, an anonymous diplomat notes endemic government corruption and refers to the government of President-for-life Zine al-Abidine Ben Ali as a “quasi-mafia” and a police state.”

While Facebook, Google and Yahoo have not spoken publicly on the alleged Tunisian government hacking campaign yet, the State Department has. In a press conference on Friday, January 7, spokesperson Philip Crowley stated:

We are concerned about recent reports that Tunisian ISP providers, at the direction of the government, hacked into the accounts of Tunisian users of American companies including Facebook, and providers of email such as Yahoo and Google, and stealing passwords. This kind of interference threatens the ability of civil society to realize the benefits of new technologies. Cyber intrusions of all kinds, including reported attacks on government of Tunisia websites, disrupt the free flow of information and reduce overall confidence in the reliability and security of vital information networks.

During the past week, in addition to Amamou, at least three other members of Tunisia's hacker and blogger communities were taken into custody by Tunisian police.

[Image via Flickr user Eugenijus Radlinskas]

Follow the author of this story, Neal Ungerleider, on Twitter.

Add New Comment

0 Comments