How Facebook Dealt With The Tunisian Government Trying To Steal Every User's Passwords

from the security-in-action dept

If you haven't yet read it, you owe it to yourself to read Alexis Madrigal's fascinating piece at The Atlantic about how Facebook responded to what apparently was a government-run country-wide hack attack on Facebook (prior to the recent regime change) designed to capture every Tunisian user's Facebook password. As the article notes, for all the talk of how much Twitter was used to communicate during the Tunisian protests and eventual ouster of the old government, Facebook may have played an even bigger role.

However, Facebook's security staff had been hearing anecdotal stories from people in Tunisia claiming their accounts had been hacked, along with some indications that something odd was going on. Eventually, they realized that the Tunisian ISPs appeared to be running a giant man-in-the-middle keylogger system, that would record a user's password any time they logged into Facebook. So how do you respond to that if you're Facebook? A two-step approach: force all traffic from Tunisia to run through https: to encrypt the passwords and prevent this from happening and then set up a system for when people logged in, asking them to identify a friend, in order to prove it was really them. Of course, all of this makes me wonder why Facebook doesn't always use https, but that's another question for another day.

While the solution wasn't perfect, it appears to mostly do the job, even if it came a bit later in the process. But just from an outsider's perspective, it is a fascinating story of how various internet tools are playing into world politics, and how that leads to some totally unexpected situations.

Filed Under: hacking, passwords, tunisia
Companies: facebook

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Kurata, 27 Jan 2011 @ 2:43am

    To add something to this story, it seems Facebook has defintiely adopted the HTTPS on login, and is considering adding the social login a-la-tunisian to its current system.

    I think we could say that facebook actually learned from the tunisian revolution as well.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.