Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Extension Makes Social-Network ID Spoofing Trivial

Posted by timothy on from the plausible-deniability-for-farmville dept.

Orome1 writes "A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point. 'When it comes to user privacy, SSL is the elephant in the room,' said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can 'sniff out' the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user."

9 of 185 comments (clear)

  1. Why no encryption? by AHuxley · · Score: 3, Interesting

    What is the cpu use and heat of the user base requesting and using ssl vs this bad news?
    "Double-click on someone, and you're instantly logged in as them."
    Whats the the extra use 15-20%? vs unencrypted HTTP.
    Would ssl been left off allow creative law enforcement uses?

    --
    Domestic spying is now "Benign Information Gathering"
  2. Promiscuous mode on any adapter? by SpinningCone · · Score: 5, Interesting

    I used to do sniffing and stuff like this a couple years ago and the biggest hurdle was finding a wireless adapter which would allow promiscuous mode. aircrack sells one that comes with 1st party drivers to allow sniffing. I used a linksys usb adapter since there were 3rd party drivers that allowed it.

    unless something has changed I thought most wireless driver didn't support promiscuous mode for sniffing.

  3. How does it work? by pinkeen · · Score: 3, Interesting

    The article is extremely light on details. The plugin's page doesn't tell much either. I'm curious how does it capture the WIFI packets. Is it possible to capture them when not in monitor mode?

    1. Re:How does it work? by pinkeen · · Score: 3, Interesting

      That wasn't my question. When in monitor (promiscous) mode, adapter can capture but cannot associate and give you internet connection. So, when you capture packets you need another wlan adapter or ethernet nic for your internet conncetion to actually use this stolen cookies. There's no mention of it on the site. So I wondered that maybe the plugin does some magic and captures packets while the same adapter is associated with an ap.

  4. Am I the only one who finds it amusing... by Viol8 · · Score: 2, Interesting

    ... that the bleating masses who so readily rushed to put their entire lives and details on social networking sites despite all the warnings are now running around shouting at all the chickens that are coming home to roost?

    For the rest of us with some common sense this is just hilarious.

  5. Re:No HTTPS encryption by FrostDust · · Score: 2, Interesting

    Do they have any guarantee that all of their users have a browser that supports HTTPS?

    To Facebook, it's better to allow access to as many users as possible, than lock some out in the name of security.

  6. Re:WPA2 will work better against this hack by Instant_Karmma · · Score: 2, Interesting

    This works on any network segment, including wired. How many people do you know that use Facebook, Amazon, etc. from their desks? Sure, your traffic could always be monitored by the PFY's in the data center, but now your pointy-haired boss has a tool that allows him to see what you've been buying. No thanks.

  7. Re:https everywhere by anti-pop-frustration · · Score: 4, Interesting

    https everywhere is indeed a great extension, and everybody should be using it.

    But some of the services that Firesheep target don't offer an https option *at all*. This is no rebuttal, it only proves Firesheep developer's point : these services have an unappropriate level of security.

    The worst offender is probably Yahoo! Mail. They don't even offer https to their paying customers! For one of the leading webmail service this is utterly unacceptable. https for login is a fig leaf, the only thing this does is give users a false sense of security.

  8. KB SSL Enforcer by brunes69 · · Score: 2, Interesting

    This is why I use this Chrome extension - https://chrome.google.com/extensions/detail/flcpelgcagfhfoegekianiofphddckof

    Basically for any site you go to it AUTOMATICALLY redirects you to the SSL version of that site if it exists. Including ssl.facebook.com.

    Yes ssl.facebook.com should be the default, as should most sites, but until they are this extension is invaluable IMO.