Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Facebook Responded To Tunisian Hacks

Posted by Soulskill on from the occupying-the-town-of-zuckerberg dept.

jamie writes "Facebook's security team opens up, shedding light on a revolution that could become a parable for Internet activism. Quoting: 'After more than ten days of intensive investigation and study, Facebook's security team realized something very, very bad was going on. The country's Internet service providers were running a malicious piece of code that was recording users' login information when they went to sites like Facebook. By January 5, it was clear that an entire country's worth of passwords were in the process of being stolen right in the midst of the greatest political upheaval in two decades. Sullivan and his team decided they needed a country-level solution — and fast. Though Sullivan said Facebook has encountered a wide variety of security problems and been involved in various political situations, they'd never seen anything like what was happening in Tunisia.'"

3 of 227 comments (clear)

  1. Re:Duh by Anonymous Coward · · Score: 4, Interesting

    Anyone who logged in during the period of time where passwords were being captured was presented with photos and asked to pick the ones featuring their friends. Then they were asked to choose a new password.

  2. Re:Duh by MichaelSmith · · Score: 3, Interesting

    The ISP can run a proxy which pretends to be the user from the point of view of facebook and pretends to be facebook from the point of view of the user. It can run an https connection to facebook and forward it to the user as a plain http connection. That way it can record or change anything in the facebook session and the user probably won't be aware that the proxy is there.

    The proxy could also run an https connection between the proxy and the user but that is more difficult because encryption software in the browser would alert the user that the proxy is not facebook. However if the browser has been fiddled with its game over for the user on many levels. Lots of people in the third world access the internet from internet cafes. One place I used in Malaysia has a single windows image which is booted across the LAN when a workstation is started. If the Government got their own software on to the server with that image, or changed the template for all the internet cafes then it would be impossible to guarantee security.

    --
    http://michaelsmith.id.au
  3. Re:Duh by TheMidget · · Score: 3, Interesting

    Meaning the calls to always use https actually make sense.

    Indeed. Most (all?) those online services, whether it be yahoo, facebook or myspace have their login box accessible from their main (non https) page. Even though login itself may be encrypted, the user is not supposed to enter the https himself, but he is instead redirected to a https page once he clicks login.

    ... which makes it easy to hijack this first step, and unless the user doublechecks the URL just before login for https, he will fall for it.

    It's scary how easy this is (I once did it for a friend who wanted to spy on his estranged wife), and you don't even need any funny javascript. Just have a proxy that substitutes https://login.service.com/ with http://login.service.com/ and you're set.

    This also makes those obnoxiously scary "bad certificate" warnings so pointless: the smart man-in-the-middle will avoid the certificate issue entirely, and just redirect everything to non-encrypted http.

    The only solution to this is to make the user aware of the process. Make it explicit that in order to login, you need to go to https://www.facebook.com/ or https://yahoo.com/ . That way, the user is forced to "do the right thing" if he wants to log in, and an interloper will have much more trouble intercepting. Instead of just hacking up a quick proxy perl script, he'll actually have to ask TunisCert to issue a fake certificate...