[LINK] Tunisian password harvesting

[Birch, Jim]

(If you missed it) the Tunisian government appears to have run a code
injection attack to harvest passwords for all users of Facebook and
possibly other sites.  The attack involves injecting some simple
javascript into login pages as they pass through ISPs.

http://blog.jgc.org/2011/01/code-injected-to-steal-passwords-in.html

What is also interesting - for non-Tunisians - is that a similar attack
could be launched quite easily anywhere with a wireless laptop running a
proxy server by faking a public internet access point.  You'd just need
a javascript library tweaked to sites of interest.

Facebook's response:

http://www.techdirt.com/articles/20110126/04453512834/how-facebook-dealt
-with-tunisian-government-trying-to-steal-every-users-passwords.shtml

This simple attack won't work if the login page runs on https, although
I guess it will always be possible to run more complex versions on some
browser/user combinations.

- Jim 

  
 


CONFIDENTIALITY NOTICE AND DISCLAIMER

The information in this transmission may be confidential and/or protected by legal professional privilege, and is intended only for the person or persons to whom it is addressed. If you are not such a person, you are warned that any disclosure, copying or dissemination of the information is unauthorised. If you have received the transmission in error, please immediately contact this office by telephone, fax or email, to inform us of the error and to enable arrangements to be made for the destruction of the transmission, or its return at our cost. No liability is accepted for any unauthorised use of the information contained in this transmission. If the transmission contains advice, the advice is based on instructions in relation to, and is provided to the addressee in connection with, the matter mentioned above. Responsibility is not accepted for reliance upon it by any other person or for any other purpose.