Injected JavaScript = MITM hijackings

CloneRanger · Mar 12, 2011

More than just MITM attacks, rather SITM = State In The Middle

This is from earlier on in the year, but as i didn't see it posted before i feel it's very worthwhile including.

Tunisian government harvesting usernames and passwords

The Tunisian Internet Agency (Agence tunisienne d'Internet or ATI) is being blamed for the presence of injected JavaScript that captures usernames and passwords. The code has been discovered on login pages for Gmail, Yahoo, and Facebook, and said to be the reason for the recent rash of account hijackings reported by Tunisian protesters.

*

As for the JavaScript itself, The Tech Herald has seen examples of the embedded script during live surfing sessions with sources in Tunisia, and in posted source code made available to the Web. The source for the GMail injection is here, the Yahoo injection is here, and Facebook is here.

Four different experts consulted by The Tech Herald independently confirmed our thoughts; the embedded code is siphoning off login credentials.

http://www.thetechherald.com/articl...government-harvesting-usernames-and-passwords
Click to expand...

Originally saw it here - http://www.cpj.org/internet/2011/01/tunisia-invades-censors-facebook-other-accounts.php - with various comments/ideas etc

Carbonyl · Mar 13, 2011

I must be missing something here. How did the malicious javascript code get onto "login pages for Gmail, Yahoo, and Facebook"? I'm not sure how anyone could compromise those login pages without making a much bigger scene.

elapsed · Mar 13, 2011

Carbonyl said:

I must be missing something here. How did the malicious javascript code get onto "login pages for Gmail, Yahoo, and Facebook"? I'm not sure how anyone could compromise those login pages without making a much bigger scene.
Click to expand...

DNS redirection maybe?

x942 · Mar 13, 2011

Carbonyl said:

I must be missing something here. How did the malicious javascript code get onto "login pages for Gmail, Yahoo, and Facebook"? I'm not sure how anyone could compromise those login pages without making a much bigger scene.
Click to expand...

If you are on the same LAN as the victim all you need to do is a little ARP poisining and redirect facebook to your computer or another server running a fake google login and the malicious script. This is incredibly easy if you are on the same LAN (done it at starbucks plenty of times). If attempting this over WAN than you need to compromise the victims computer first, use URL shorten or redirects, use tabnapping, or finally DNS Cache poisining. Attacks like these are way easier of LAN and as such unless you are sitting on open wifi you dont have much to worry about.

MrBrian · Mar 13, 2011

Carbonyl said:

I must be missing something here. How did the malicious javascript code get onto "login pages for Gmail, Yahoo, and Facebook"? I'm not sure how anyone could compromise those login pages without making a much bigger scene.
Click to expand...

From the article:

Code planting on this scale could only originate form an ISP.
Click to expand...

The ISP itself can inspect and modify your traffic as long as it's not encrypted.

Another example of this concept: ISPs Able To Use Your Surfing Data To Insert Their Own Ads Everywhere.

Log in or Sign up

Injected JavaScript = MITM hijackings

CloneRanger Registered Member

Carbonyl Registered Member

elapsed Registered Member

x942 Guest

MrBrian Registered Member

Log in or Sign up

Injected JavaScript = MITM hijackings

CloneRanger Registered Member

Carbonyl Registered Member

elapsed Registered Member

x942 Guest

MrBrian Registered Member

Useful Searches