Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Extension Makes Social-Network ID Spoofing Trivial

Posted by timothy on from the plausible-deniability-for-farmville dept.

Orome1 writes "A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point. 'When it comes to user privacy, SSL is the elephant in the room,' said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can 'sniff out' the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user."

14 of 185 comments (clear)

  1. Illegal? by Anonymous Coward · · Score: 5, Informative

    I don't dispute author's work or goals (I've been using SSH tunneling on public WiFi for years to prevent just this) but he should have mentioned that clicking on information you gathered (and logging in as another user without their concent) is very likely against federal laws in US (and likely most other locations). Just gathering this information can likely be argued to be illegal as well (wiretapping?)

    So be careful where you click..

  2. A better explaination by buchner.johannes · · Score: 5, Informative

    here: http://codebutler.com/firesheep

    They apparently call it "sidejacking", i.e. sniffing other users cookies from a wifi, and using it. Not new, but made userfriendly.

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    1. Re:A better explaination by thomst · · Score: 3, Informative

      here: http://codebutler.com/firesheep.

      Steve Manuel of TechCrunch claims that the Force-TLS 2.0 Firefox extension can defeat Firesheep. (You have to configure it manually for each site you want to protect, though, so it's somewhat of a PITA.)

      Another option is the HTTPS Everywhere Firefox extension from EFF and the Tor Project. Although HTTPS Everywhere has a predefined ruleset that includes some of the most popular Web sites, you'll still have to write your own ruleset for any site not on their default list.

      --
      Check out my novel.
  3. Re:Am I the only one who finds it amusing... by betterunixthanunix · · Score: 3, Informative

    To be fair, most of those people do not actually care. There is a small minority of users who do care, but for some reason continue to use those websites; the rest just want to follow the crowd without stopping to question anything.

    --
    Palm trees and 8
  4. Re:What permissions do you need ? by mbone · · Score: 3, Informative

    What permissions do you need for this? Do you have to be the owner of the network in order to sniff things out in this manner? Or is it possible for me to steal accounts off a public network?

    None, no, and most emphatically yes.

  5. Re:How does it work? by will_die · · Score: 3, Informative

    You first need to installWinPcap this is the program that does the actual work. You then log on to the wifi, using password if required, and the program starts looking for know cookies. If it finds them it captures the info and gives you a nice userfriendly way of using them.
    It can capture the wifi since anyone can capture them if you are within range of the transmissions. You if you are not monitoring when the signals go out you cannot capture them.

  6. Re:https everywhere by skywatcher2501 · · Score: 3, Informative

    And here's the link: https://www.eff.org/https-everywhere

  7. Re:No HTTPS encryption by muckracer · · Score: 4, Informative

    > Kudos to FaceBook and most other networks for NOT using encryption for anything but the log in [--DrYak]

    > I still have to manually change http to https in the URL every time they decide to sign me off. [--cindyann]

    Install the HTTPS-Everywhere FF Plugin. It will SSL-encrypt Facebook and a host of other domains. Only draw-back: Chat doesn't work via SSL atm.

    https://www.eff.org/https-everywhere

    And while you're at it, also install the BetterPrivacy Add-on:

    https://addons.mozilla.org/en-US/firefox/addon/6623/

    which will get rid of the LSO cookie Facebook sets each time you use it. Best used in conjunction with AskforSanitize.

  8. Re:Why no encryption? by maxume · · Score: 5, Informative

    When Google switched Gmail over to HTTPS all the time for everything, they found it accounted for 1% of CPU load:

    http://unblog.pidster.com/imperialviolet-overclocking-ssl?c=1

    So Facebook probably wouldn't need to do much more than get their software set right.

    --
    Nerd rage is the funniest rage.
  9. Re:No HTTPS encryption by lavagolemking · · Score: 4, Informative

    Facebook does submit your information over HTTPS; they just load the page over HTTP by default. Passive sniffing won't work on it. Here, take a look at the following code from http://www.facebook.com/:

    <form method="POST" action="https://login.facebook.com/login.php?login_attempt=1" id="login_form">

    The problem with this approach is, while it saves server resources, an attacker could trivially perform a man-in-the-middle attack on an average person connecting to http://www.facebook.com/ rewriting the above code to HTTP or running a squid proxy or something, and they would never notice because their browser says "http" like always.

    That said, if you're worried about it you could always install HTTPS Everywhere and it will make Facebook always load using SSL.

  10. Use md5 (or something) over the wire by Compaqt · · Score: 3, Informative

    Leaving aside md5 cracks (use another algo if you want):

    md5 the password with Javascript on the client end before sending it. Then un-md5 it with PHP on the server.

    Plenty of security-conscious CMS's have been doing this before Mark Z even thought of an electronic facebook.

    --
    I'm not a lawyer, but I play one on the Internet. Blog
    1. Re:Use md5 (or something) over the wire by jwietelmann · · Score: 4, Informative

      Hash = 1-way crypto

      The only way to "un-md5" anything is to crack it. Also, I'm not sure you actually put any real thought into this.

      Since it's best practice to store only password hashes (and not the passwords themselves) in your database (or whatever), your process is apparently:

      1. Client md5's the password, sends it to server
      2. Server "un-md5"s the password (let's say for argument's sake that this makes perfect sense)
      3. Server md5's the un-md5'd password
      4. Server checks hash against user's hash in the database
  11. Re:and this is news ? by Aqualung812 · · Score: 4, Informative

    You have the choice - if you visit https://facebook.com/ it will let you run your entire session on the site in https. They obviously support SSL for those who want it... I fail to see how it's their fault?

    Follow the link you attached. Log into Facebook. Click the Facebook icon on that page to return to your home page, or click on a link to a fan page you have, or click on a link to a friend's page. You just went from SSL to HTTP. They make it hard to STAY on SSL, even if you go through the work of going there manually.

    --
    Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
  12. Re:What permissions do you need ? by Stray7Xi · · Score: 3, Informative

    What permissions do you need for this? Do you have to be the owner of the network in order to sniff things out in this manner? Or is it possible for me to steal accounts off a public network?

    You need to be administrator to place your network card into promiscious mode or rfmon for wireless.

    So in a public wifi network you're screwed. In a public ethernet network it depends if it's a switched or hubbed network. But even in a switched network you could be vulnerable to this via ARP poisoning.

    The takeaway is what we've known for decades, if you want private communications use encryption.