Crazy, so if this is legit, this really is more akin to a keylogger than them sniffing the network traffic, which is what I thought was meant by it.
Tunisian IPS's were injecting some javascript code on Facebook's login page that was watching the keystrokes in the login/password fields. When someone clicked LOGIN, the script would send those credentials to a URL, but also Facebook's HTTPS login page, so everything proceeded as normal.
Interesting vector for an attack, seems like the solution, of serving the login page itself in HTTPS as well is simple (and cheap) enough that everybody should adopt it.
Tunisian IPS's were injecting some javascript code on Facebook's login page that was watching the keystrokes in the login/password fields. When someone clicked LOGIN, the script would send those credentials to a URL, but also Facebook's HTTPS login page, so everything proceeded as normal.
Interesting vector for an attack, seems like the solution, of serving the login page itself in HTTPS as well is simple (and cheap) enough that everybody should adopt it.