Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Extension Makes Social-Network ID Spoofing Trivial

Posted by timothy on from the plausible-deniability-for-farmville dept.

Orome1 writes "A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point. 'When it comes to user privacy, SSL is the elephant in the room,' said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can 'sniff out' the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user."

5 of 185 comments (clear)

  1. Why no encryption? by AHuxley · · Score: 3, Interesting

    What is the cpu use and heat of the user base requesting and using ssl vs this bad news?
    "Double-click on someone, and you're instantly logged in as them."
    Whats the the extra use 15-20%? vs unencrypted HTTP.
    Would ssl been left off allow creative law enforcement uses?

    --
    Domestic spying is now "Benign Information Gathering"
  2. Promiscuous mode on any adapter? by SpinningCone · · Score: 5, Interesting

    I used to do sniffing and stuff like this a couple years ago and the biggest hurdle was finding a wireless adapter which would allow promiscuous mode. aircrack sells one that comes with 1st party drivers to allow sniffing. I used a linksys usb adapter since there were 3rd party drivers that allowed it.

    unless something has changed I thought most wireless driver didn't support promiscuous mode for sniffing.

  3. How does it work? by pinkeen · · Score: 3, Interesting

    The article is extremely light on details. The plugin's page doesn't tell much either. I'm curious how does it capture the WIFI packets. Is it possible to capture them when not in monitor mode?

    1. Re:How does it work? by pinkeen · · Score: 3, Interesting

      That wasn't my question. When in monitor (promiscous) mode, adapter can capture but cannot associate and give you internet connection. So, when you capture packets you need another wlan adapter or ethernet nic for your internet conncetion to actually use this stolen cookies. There's no mention of it on the site. So I wondered that maybe the plugin does some magic and captures packets while the same adapter is associated with an ap.

  4. Re:https everywhere by anti-pop-frustration · · Score: 4, Interesting

    https everywhere is indeed a great extension, and everybody should be using it.

    But some of the services that Firesheep target don't offer an https option *at all*. This is no rebuttal, it only proves Firesheep developer's point : these services have an unappropriate level of security.

    The worst offender is probably Yahoo! Mail. They don't even offer https to their paying customers! For one of the leading webmail service this is utterly unacceptable. https for login is a fig leaf, the only thing this does is give users a false sense of security.