Demonstrations and protests over unemployment and poor living conditions have been ongoing in Tunisia since the beginning of December, but last week the Tunisian government turned up the heat on bloggers, activists, and dissidents by launching a JavaScript injection attack that siphoned off the usernames and passwords of Tunsians logging in to Google, Yahoo, and Facebook. The Tunisian government has used these stolen credentials to log in to Tunisians’ email and Facebook accounts, presumably downloading their messages, emails, and social graphs for further analysis, and then deleting the accounts entirely.
Among the compromised accounts are Facebook pages administered by a reporter with Al-Tariq ad-Jadid, Sofiene Chourabi, video journalist Haythem El Mekki, and activist Lina Ben Khenni. Unsatisfied with merely quelling online freedom of expression, the Tunisian government has used the information it obtained to locate bloggers and their networks of contacts. By late last week, the Tunisian government had started arresting and detaining bloggers, including blogger Hamadi Kaloutcha, and cyberactivist Slim Ammamou, who alerted the world to his whereabouts at the Tunisian Ministry of the Interior using Google Latitude. This weekend, Tunisian citizens began to report on Twitter and in blogs that troops were using live ammunition on unarmed citizens and started communicating with one another to establish the numbers of dead and injured.
Most notably, Tunisians have been posting videos of the protests, including the dead and wounded on Facebook, the only video-sharing site which is not currently being blocked by the Tunisian government, which makes access to Facebook especially important for the protest movement.
Because of the Tunisian government’s attacks on citizens’ login credentials, Tunisians should take the following steps to protect themselves:
- If HTTPS is available, use HTTPS to login to Facebook, Google, and Yahoo. If you are using Firefox, EFF’s HTTPS Everywhere plug-in will do this for you automatically.
- EFF has received reports that the Tunisian government is periodically blocking HTTPS access to Facebook, Google, and Yahoo. If that is the case and you must login over HTTP, install the following Greasemonkey script to strip out the JavaScript which the Tunisian government has inserted to steal your login credentials.
- If you have logged in to Facebook, Google, or Yahoo recently over HTTP, login using HTTPS and change your password.
Additionally, EFF calls on Google, Yahoo, and Facebook to take action to protect the privacy of its users by alerting them of the potential compromise of their accounts and encouraging them to take the above steps.
Finally, Facebook has reported that is in the process of taking technical steps to protect the privacy of their users. We hope that they include the following:
- Make Facebook logins default to HTTPS, if only in Tunisia, where accounts are especially vulnerable at this time. Google and Yahoo logins already default to HTTPS.
- Consider allowing pseudononymous accounts for users in authoritarian regimes, where political speech under your real name is dangerous and potentially deadly. Many Tunisian activists are unable to reinstate Facebook accounts that have been erased by the Tunisian government because they were not using their real names.
Websites providing services to Tunisian citizens cannot afford to sit on the sidelines while the Tunisian government launches malicious attacks on the privacy of users and censors free expression. Facebook, Google, and Yahoo should take these concrete steps as quickly as possible to inform and better protect their users.