How Facebook Dealt With The Tunisian Government Trying To Steal Every User's Passwords

from the security-in-action dept

If you haven't yet read it, you owe it to yourself to read Alexis Madrigal's fascinating piece at The Atlantic about how Facebook responded to what apparently was a government-run country-wide hack attack on Facebook (prior to the recent regime change) designed to capture every Tunisian user's Facebook password. As the article notes, for all the talk of how much Twitter was used to communicate during the Tunisian protests and eventual ouster of the old government, Facebook may have played an even bigger role.

However, Facebook's security staff had been hearing anecdotal stories from people in Tunisia claiming their accounts had been hacked, along with some indications that something odd was going on. Eventually, they realized that the Tunisian ISPs appeared to be running a giant man-in-the-middle keylogger system, that would record a user's password any time they logged into Facebook. So how do you respond to that if you're Facebook? A two-step approach: force all traffic from Tunisia to run through https: to encrypt the passwords and prevent this from happening and then set up a system for when people logged in, asking them to identify a friend, in order to prove it was really them. Of course, all of this makes me wonder why Facebook doesn't always use https, but that's another question for another day.

While the solution wasn't perfect, it appears to mostly do the job, even if it came a bit later in the process. But just from an outsider's perspective, it is a fascinating story of how various internet tools are playing into world politics, and how that leads to some totally unexpected situations.

Filed Under: hacking, passwords, tunisia
Companies: facebook

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Anonymous Coward, 26 Jan 2011 @ 3:53pm

    Re: All Sites Should Be Doing This For Passwords

    Facebook sucks are security... Why else would they have given access to most of your private information to "developers" (quotes because the term is used very loosely, as anyone can become a developer). Countries are forcing it to enforce its security because it has always been, and probably will always be, one of the worst secured sites out there. Kinda sucks for the ones using it that it's so popular heh.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.