Considering that the backbone of the Tunisian Internet is full of state run filters and firewalls designed to block access, configuring one to log the GET commands with the harvested data would be trivial. But is this a government sponsored action?
The likelihood that a group of criminals compromised the entire Tunisian infrastructure is virtually nonexistent. Code planting on this scale could only originate form an ISP. With their history of holding an iron grip on the Internet, ATI is the logical source of the information harvesting.
There is an upside however, as the embedded JavaScript only appears when one of the sites is accessed with HTTP instead of HTTPS. In each test case, we were able to confirm that Gmail and Yahoo were only compromised when HTTP was used. For Facebook on the other hand, the default is access is HTTP, so users in Tunisia will need to visit the HTTPS address manually.
…
The information surrounding the embedded JavaScript came to our attention thanks to a user on the IRC server where supporters for Anonymous’ Operation: Tunisia gathered to show support for Tunisian protesters. When word spread of embedded code and account hijackings, Anonymous offered Tunisian users help via Userscripts.org, with a browser add-on that strips the added JavaScript code.
The Committee to Nuke Elysium 