He claims to be 21 years old, a student of software engineering in Tehran who reveres Ayatollah Ali Khamenei and despises dissidents in his country.
He sneaked into the computer systems of a security firm on the outskirts of Amsterdam. He created fake credentials that could allow someone to snoop on Internet connections that appeared to be secure. He then shared that bounty with people he declines to name.
The fruits of his labor are believed to have been used to tap into the online communications of as many as 300,000 unsuspecting Iranians this summer. What’s more, he punched a hole in an online security mechanism that is trusted by millions of Internet users all over the world.
Comodohacker, as he calls himself, insists he acted on his own and is unperturbed by the notion that his work may have been used to spy on antigovernment compatriots.
“I’m totally independent,” he said in an e-mail exchange with The New York Times. “I just share my findings with some people in Iran. They are free to do anything they want with my findings and things I share with them, but I’m not responsible.”
In the annals of Internet attacks, this is likely to go down as a moment of reckoning. For activists, it shows the downside of using online tools to organize: an opponent with enough determination and resources just might find a way to track their every move.
It also calls into question the reliability of a basic system of trust that global Internet brands like Google and Facebook, along with their users, rely upon. The system is intended to verify the authenticity of a particular Web site — to ensure, in effect, that Gmail is Gmail, and that the connection to the site is encrypted and difficult for an outsider to monitor.
Hundreds of companies and government authorities around the world, including in the United States and China, have the power to issue the digital certificates that the system relies upon to verify a site’s identity. The same hacker is believed to be responsible for attacks on three such companies.
In March, he claimed credit for a breach of Comodo, in Italy. In late August came the attack on the Dutch company DigiNotar. On Friday evening, a company called GlobalSign said it had detected an intrusion into its Web site, but not into more confidential systems.
Armed with certificates stolen from companies like these, someone with control over an Internet service provider, like the Iranian authorities, could trick Internet users into thinking they were safely connected to a familiar site, while eavesdropping on their online activity.
Fearing the prospect of other breaches similar to those carried out by this hacker, Mozilla, the maker of the Firefox Web browser, last week issued a warning to certificate authority companies to audit their security systems or risk being booted off Firefox.
“It is a real example of a weakness in security infrastructure that many people assumed was trustworthy,” said Richard Bejtlich, the chief security officer of Mandiant Security in Alexandria, Va. “It’s a reminder that it is only as trustworthy as the companies that make up the system. There are bound to be some that can’t protect their infrastructure, and you have results like this.”