Almost 300 000 IP addresses originating from Iran applied for access to Google via an illegally obtained digital certificate. The certificate was issued by DigiNotar, a Dutch digital certificate authority.
The certificate was rescinded at the end of August, but not before potential damage was done. The IP address list will be handed over to Google so that the search company can inform its clients that a possible email interception occurred during this period.
Alongside the emails, possible login cookies may also have been intercepted. Cookies can contain valuable information such as the online activities of the user, this includes online shopping details and sometimes banking data. Fox-IT, the security firm who had discovered the flaw, said that it would be wise for all Iranian users to change their passwords, or at least logout and login.
531 digital certificates were issued in a short period of time, hitting sites such as the CIA and that of Israel’s secret service, Mossad. 99 percent of the IP address originated from Iran, indicating that the goal of the hackers was to seize secure communications between Iranian users.
Another security firm, Trend Micro stated that validation.diginotar.nl, the site the IP address routed through expected to be populated only by Dutch users. The flag was raised when almost all the IP address came from outside the country.
It was then made public that rogue Google.com security certificates were issued to Iranian internet users via DigiNotar. The certificates were however, quickly revoked. DigiNotar was then contacted in order to report back on the breach.
The first illegal certificate came out in early July, meaning that the security protocols setup at DigiNotar were not secure enough to handle the intense violation of private IP data. The full report of the DigiNotar certificate authority breach, codenamed “Operation Black Tulip” can be found here.