Firefox Extension Makes Social-Network ID Spoofing Trivial

← Back to Stories (view on slashdot.org)

Firefox Extension Makes Social-Network ID Spoofing Trivial

Posted by timothy on Monday October 25, 2010 @12:06AM from the plausible-deniability-for-farmville dept.

Orome1 writes "A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point. 'When it comes to user privacy, SSL is the elephant in the room,' said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can 'sniff out' the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user."

53 of 185 comments (clear)

Min score:

Reason:

Sort:

Illegal? by Anonymous Coward · 2010-10-25 00:09 · Score: 5, Informative

I don't dispute author's work or goals (I've been using SSH tunneling on public WiFi for years to prevent just this) but he should have mentioned that clicking on information you gathered (and logging in as another user without their concent) is very likely against federal laws in US (and likely most other locations). Just gathering this information can likely be argued to be illegal as well (wiretapping?)
So be careful where you click..
1. Re:Illegal? by Romberg · 2010-10-25 04:04 · Score: 3, Funny
  
  yeah, like I'm gonna click on your link.....
First haxx! by Anonymous Coward · 2010-10-25 00:09 · Score: 4, Funny

Ha ha, anon is pwned :D
1. Re:First haxx! by Anonymous Coward · 2010-10-25 00:12 · Score: 5, Funny
  
  WTF !, this guy is logged in as me !
2. Re:First haxx! by Anonymous Coward · 2010-10-25 00:45 · Score: 2, Funny
  
  Remind me to change the combination to my luggage.
A better explaination by buchner.johannes · 2010-10-25 00:10 · Score: 5, Informative

here: http://codebutler.com/firesheep
They apparently call it "sidejacking", i.e. sniffing other users cookies from a wifi, and using it. Not new, but made userfriendly.

--
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
1. Re:A better explaination by thomst · 2010-10-25 01:11 · Score: 3, Informative
  
  here: http://codebutler.com/firesheep.
  Steve Manuel of TechCrunch claims that the Force-TLS 2.0 Firefox extension can defeat Firesheep. (You have to configure it manually for each site you want to protect, though, so it's somewhat of a PITA.)
  Another option is the HTTPS Everywhere Firefox extension from EFF and the Tor Project. Although HTTPS Everywhere has a predefined ruleset that includes some of the most popular Web sites, you'll still have to write your own ruleset for any site not on their default list.
  
  --
  Check out my novel.
and this is news ? by Torvac · 2010-10-25 00:12 · Score: 3, Insightful

someone in the same network sniffing your unencrypted traffic is facebooks fault ? or the fact that someone made a UI to do it for dummies ?
1. Re:and this is news ? by Anonymous Coward · 2010-10-25 00:15 · Score: 5, Insightful
  
  the fact that it's unencrypted is facebooks fault, it's not hard to push everything through HTTPS, there's no excuse these days
2. Re:and this is news ? by Ephemeriis · 2010-10-25 00:25 · Score: 5, Insightful
  
  someone in the same network sniffing your unencrypted traffic is facebooks fault ?
  or the fact that someone made a UI to do it for dummies ?
  The fact that it is unencrypted is, yes.
  
  --
  "Work is the curse of the drinking classes." -Oscar Wilde
3. Re:and this is news ? by The+Mighty+Buzzard · 2010-10-25 01:11 · Score: 2, Informative
  
  While I'm inclined to agree that any remotely commercial website should offer and default to encrypted transfers, it also serves you right if you use a service that doesn't encrypt everything. Using a service that doesn't at least offer you the option of encryption is akin to driving a car that you know has defective brakes (ha, car analogy!). If shit goes badly and you knew better, you've no one to blame but yourself. If you didn't know better, it's your own fault for not educating yourself about such basic things and I shall mock you.
  Unless you're a cookie baking grandmother willing to bribe me with baked goods. Principles be damned when there are fresh, warm cookies involved.
  
  --
  Violence is like duct tape. If it doesn't solve the problem, you didn't use enough.
4. Re:and this is news ? by Anrego · 2010-10-25 01:36 · Score: 3, Insightful
  
  users will begin a mass exodus once more and more articles about the dangers of Facebook are written and IT Professionals and techies begin informing everyone that using Facebook is dangerous especially on a Winblows PC.
  Oh you can't seriously believe that!
  People have been screaming at the top of their lungs about how insecure facebook is and what they do with your information for years. Your average user just doesn't care as long as they can keep playing farmville!
5. Re:and this is news ? by PopeRatzo · 2010-10-25 01:54 · Score: 4, Insightful
  
  Their only income stream is selling private information.
  Good point.
  I'm surprised so many people are upset about people stealing their private information, but have no problem with someone buying and selling their private information.
  
  --
  You are welcome on my lawn.
6. Re:and this is news ? by Aqualung812 · 2010-10-25 02:27 · Score: 4, Informative
  
  You have the choice - if you visit https://facebook.com/ it will let you run your entire session on the site in https. They obviously support SSL for those who want it... I fail to see how it's their fault?
  
  Follow the link you attached. Log into Facebook. Click the Facebook icon on that page to return to your home page, or click on a link to a fan page you have, or click on a link to a friend's page. You just went from SSL to HTTP. They make it hard to STAY on SSL, even if you go through the work of going there manually.
  
  --
  Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
7. Re:and this is news ? by KBJorgensen · 2010-10-25 03:19 · Score: 2, Informative
  
  The Chrome extension KB SSL Enforcer automatically redirects you to SSL every time you visit Facebook (and other sites) and changes all links to point to SSL. Although I do agree that they should just use SSL by default on a site with so much personal info. Disclaimer: I made this extension.
Why no encryption? by AHuxley · 2010-10-25 00:19 · Score: 3, Interesting

What is the cpu use and heat of the user base requesting and using ssl vs this bad news?
"Double-click on someone, and you're instantly logged in as them."
Whats the the extra use 15-20%? vs unencrypted HTTP.
Would ssl been left off allow creative law enforcement uses?

--
Domestic spying is now "Benign Information Gathering"
1. Re:Why no encryption? by betterunixthanunix · 2010-10-25 00:39 · Score: 4, Funny
  
  Facebook's servers are too busy violating your privacy to handle the extra load of encryption ;)
  
  --
  Palm trees and 8
2. Re:Why no encryption? by maxume · 2010-10-25 01:36 · Score: 5, Informative
  
  When Google switched Gmail over to HTTPS all the time for everything, they found it accounted for 1% of CPU load:
  http://unblog.pidster.com/imperialviolet-overclocking-ssl?c=1
  So Facebook probably wouldn't need to do much more than get their software set right.
  
  --
  Nerd rage is the funniest rage.
3. Re:Why no encryption? by cerberusss · 2010-10-25 02:40 · Score: 4, Funny
  
  Facebook's servers are too busy violating your privacy to handle the extra load of encryption ;)
  Facebooks servers were hanging around in a dark alley one faithful night. My privacy just happened to think that particular night, let's take the shorter route home. It's as if Facebooks servers sniffed she was coming, despite her high privacy settings. They libpcaptured her, then stripped all of her headers and checksums, right to her to the bare profile while taunting her loudly. Some traffic just passed by without doing anything. My privacy was violated again, and again and Facebooks servers just kept going and going. Then they left my privacy "face"-down in a shallow ditch, some shreds of unique ROWIDs covering her bloodsoaked profile.
  
  --
  8 of 13 people found this answer helpful. Did you?
Another point is not "missing the point" by Chriscypher · 2010-10-25 00:32 · Score: 5, Insightful

squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point.
Another point does not "miss the point".
Transport security != corporate marketing of private data

--
"You have liberated me from thought."
Promiscuous mode on any adapter? by SpinningCone · 2010-10-25 00:38 · Score: 5, Interesting

I used to do sniffing and stuff like this a couple years ago and the biggest hurdle was finding a wireless adapter which would allow promiscuous mode. aircrack sells one that comes with 1st party drivers to allow sniffing. I used a linksys usb adapter since there were 3rd party drivers that allowed it.
unless something has changed I thought most wireless driver didn't support promiscuous mode for sniffing.
How does it work? by pinkeen · 2010-10-25 00:39 · Score: 3, Interesting

The article is extremely light on details. The plugin's page doesn't tell much either. I'm curious how does it capture the WIFI packets. Is it possible to capture them when not in monitor mode?
1. Re:How does it work? by will_die · 2010-10-25 01:12 · Score: 3, Informative
  
  You first need to installWinPcap this is the program that does the actual work. You then log on to the wifi, using password if required, and the program starts looking for know cookies. If it finds them it captures the info and gives you a nice userfriendly way of using them.
  It can capture the wifi since anyone can capture them if you are within range of the transmissions. You if you are not monitoring when the signals go out you cannot capture them.
2. Re:How does it work? by pinkeen · 2010-10-25 12:07 · Score: 3, Interesting
  
  That wasn't my question. When in monitor (promiscous) mode, adapter can capture but cannot associate and give you internet connection. So, when you capture packets you need another wlan adapter or ethernet nic for your internet conncetion to actually use this stolen cookies. There's no mention of it on the site. So I wondered that maybe the plugin does some magic and captures packets while the same adapter is associated with an ap.
Other People in the Room by SudoGhost · 2010-10-25 00:44 · Score: 2, Insightful

the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point.
I'm much more concerned about that then someone on my network stealing my password. If they're on my network, they could steal my password? This is not new, nor is it news. The number of people on the internet out to get your personal information is much, much higher than the number of people on your network out to do the same.

This is just a high-tech version of this:

'When it comes to user privacy, other people are the elephant in the room,' said SudoGhost, random douchebag author of the post in question, dubbed 'Other People in the Room'. By being in the room and watching the screen/keyboard, anyone can 'sniff out' not only the unencrypted HTTP sessions, but virtually any keystroke, allowing your mom to access social networks, online services and other website requiring a login, and simply hijack them and find out where you really were Saturday night."
1. Re:Other People in the Room by statusbar · 2010-10-25 01:17 · Score: 3, Insightful
  
  How many people use wireless at a conference, or a coffee shop, or a hotel?
  
  --
  ipv6 is my vpn
Am I the only one who finds it amusing... by Viol8 · 2010-10-25 00:46 · Score: 2, Interesting

... that the bleating masses who so readily rushed to put their entire lives and details on social networking sites despite all the warnings are now running around shouting at all the chickens that are coming home to roost?
For the rest of us with some common sense this is just hilarious.
1. Re:Am I the only one who finds it amusing... by betterunixthanunix · 2010-10-25 00:55 · Score: 3, Informative
  
  To be fair, most of those people do not actually care. There is a small minority of users who do care, but for some reason continue to use those websites; the rest just want to follow the crowd without stopping to question anything.
  
  --
  Palm trees and 8
No HTTPS encryption by DrYak · 2010-10-25 00:53 · Score: 4, Insightful

Kudos to FaceBook and most other networks for NOT using encryption for anything but the log in, making such hacks possible !
I know that HTTPS would put some stress on the servers, specially with something as big as Facebook.
But, come-on. Social networks have become so important for some people, that the risks of vandalism/identiy spoof/deffamation, etc. are significant and would benefit from some more protection.

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
1. Re:No HTTPS encryption by muckracer · 2010-10-25 01:34 · Score: 4, Informative
  
  > Kudos to FaceBook and most other networks for NOT using encryption for anything but the log in [--DrYak]
  > I still have to manually change http to https in the URL every time they decide to sign me off. [--cindyann]
  Install the HTTPS-Everywhere FF Plugin. It will SSL-encrypt Facebook and a host of other domains. Only draw-back: Chat doesn't work via SSL atm.
  https://www.eff.org/https-everywhere
  And while you're at it, also install the BetterPrivacy Add-on:
  https://addons.mozilla.org/en-US/firefox/addon/6623/
  which will get rid of the LSO cookie Facebook sets each time you use it. Best used in conjunction with AskforSanitize.
2. Re:No HTTPS encryption by FrostDust · 2010-10-25 01:38 · Score: 2, Interesting
  
  Do they have any guarantee that all of their users have a browser that supports HTTPS?
  To Facebook, it's better to allow access to as many users as possible, than lock some out in the name of security.
3. Re:No HTTPS encryption by lavagolemking · 2010-10-25 01:42 · Score: 4, Informative
  
  Facebook does submit your information over HTTPS; they just load the page over HTTP by default. Passive sniffing won't work on it. Here, take a look at the following code from http://www.facebook.com/:
  <form method="POST" action="https://login.facebook.com/login.php?login_attempt=1" id="login_form">
  The problem with this approach is, while it saves server resources, an attacker could trivially perform a man-in-the-middle attack on an average person connecting to http://www.facebook.com/ rewriting the above code to HTTP or running a squid proxy or something, and they would never notice because their browser says "http" like always.
  That said, if you're worried about it you could always install HTTPS Everywhere and it will make Facebook always load using SSL.
4. Re:No HTTPS encryption by Confusador · 2010-10-25 02:21 · Score: 3, Insightful
  
  There's a world of difference between having a fallback for those who can't use the secure site (with a warning that it is not secure, even) and not having an option for those who can.
5. Re:No HTTPS encryption by sznupi · 2010-10-25 03:07 · Score: 2, Informative
  
  http://m.facebook.com/ ...not saying the mobile browsers can't have the security, just that "hope" isn't required to render Facebook without js.
  And apparently such access is quite popular - there were some news from FB itself about explosive growth; also according to stats of Opera Mini (the #1 mobile web browser worldwide by site hits, despite many of its users being evidently rather frugal with numbers of sites visited / data transferred), Facebook is quite often near the top of popularity.
  
  --
  One that hath name thou can not otter
Cookie theft by Securityemo · 2010-10-25 00:54 · Score: 5, Insightful

It's "just" WiFi cookie theft. You can do that easily with wireshark and copy/paste, this just makes it a bit faster. The problem lies in session cookies, and this is a problem known for what, almost a decade now?

--
Emotions! In your brain!
Re:What permissions do you need ? by pinkeen · 2010-10-25 00:54 · Score: 2, Informative

It is wifi sniffing. The data is in the air. All you need is to be in the range of client's radio transmissions. If the network is encrypted then you need WEP/WPA(2) key.
Re:What permissions do you need ? by mbone · 2010-10-25 01:08 · Score: 3, Informative

What permissions do you need for this? Do you have to be the owner of the network in order to sniff things out in this manner? Or is it possible for me to steal accounts off a public network?
None, no, and most emphatically yes.
Re:https everywhere by skywatcher2501 · 2010-10-25 01:28 · Score: 3, Informative

And here's the link: https://www.eff.org/https-everywhere
Re:WPA2 will work better against this hack by Instant_Karmma · 2010-10-25 01:42 · Score: 2, Interesting

This works on any network segment, including wired. How many people do you know that use Facebook, Amazon, etc. from their desks? Sure, your traffic could always be monitored by the PFY's in the data center, but now your pointy-haired boss has a tool that allows him to see what you've been buying. No thanks.
Use md5 (or something) over the wire by Compaqt · 2010-10-25 02:02 · Score: 3, Informative

Leaving aside md5 cracks (use another algo if you want):
md5 the password with Javascript on the client end before sending it. Then un-md5 it with PHP on the server.
Plenty of security-conscious CMS's have been doing this before Mark Z even thought of an electronic facebook.

--
I'm not a lawyer, but I play one on the Internet. Blog
1. Re:Use md5 (or something) over the wire by gmurray · 2010-10-25 02:09 · Score: 2, Insightful
  
  md5 is a hash algorithm. How would that help? If someone can snoop your md5 hash they can replay it to gain access to the server, and then change your password (provided the server doesn't provide a challenge to perform this action). All md5 does is protect your actual password, which is small protection if your account can be illicitly accessed anyway. None of these services send a password in plaintext (hopefully). That isn't the issue. The issue is that they use replayable tokens and don't use encryption to send them on the wire.
2. Re:Use md5 (or something) over the wire by gmurray · 2010-10-25 02:10 · Score: 5, Insightful
  
  furthermore the entire usefulness of md5 is that you can't un-md5 it ;-)
3. Re:Use md5 (or something) over the wire by ogapo · 2010-10-25 02:16 · Score: 2, Informative
  
  I think you may not understand how a cryptographic hash works. In the scheme you are describing, the password is typically hashed on the client side (along with some value specified by the server which changes every time). When the server gets the hash, it hashes the password (as stored in the DB and possibly also hashed) along with the same value and compares the result. Regardless, what this plugin does is not steal passwords, but simply looks for authenticated credentials (usually cookies). See, once you authenticate, the server gives you a cookie (your session identifier) that you pass back with every request to prove you are who you say you are. Since the traffic is not encrypted, this can be intercepted by anyone on a network between you and the facebook servers. If you live on a college campus or work for an ISP, this could very well be many people. Even if Facebook is smart enough to tie this session to your IP, it's likely that someone in a correct network position to sniff your packets can also viably spoof your IP (both sending and receiving). This is effectively the same as them hijacking your account except the ability goes away when your session expires.
4. Re:Use md5 (or something) over the wire by Anonymous Coward · 2010-10-25 02:17 · Score: 2, Insightful
  
  This won't work as the extension sniffs out cookies, not passwords.
  Even then, this won't help as the extension could be changed to sniff the hashed password (it's just send as plain text over HTTP), and send that hash itself.
5. Re:Use md5 (or something) over the wire by Culture20 · 2010-10-25 02:32 · Score: 4, Funny
  
  md5 is a hash algorithm. How would that help? If someone can snoop your md5 hash they can replay it to gain access to the server, and then change your password (provided the server doesn't provide a challenge to perform this action). All md5 does is protect your actual password, which is small protection if your account can be illicitly accessed anyway. None of these services send a password in plaintext (hopefully). That isn't the issue. The issue is that they use replayable tokens and don't use encryption to send them on the wire.
  Well, then md5 the hash. It's just like using triple-DES or double rot-13 (one of the two, or maybe a happy middle-ground). ;)
6. Re:Use md5 (or something) over the wire by jwietelmann · 2010-10-25 02:32 · Score: 4, Informative
  Hash = 1-way crypto
  The only way to "un-md5" anything is to crack it. Also, I'm not sure you actually put any real thought into this.
  Since it's best practice to store only password hashes (and not the passwords themselves) in your database (or whatever), your process is apparently:
  
  Client md5's the password, sends it to server
  Server "un-md5"s the password (let's say for argument's sake that this makes perfect sense)
  Server md5's the un-md5'd password
  Server checks hash against user's hash in the database
7. Re:Use md5 (or something) over the wire by Mashiara · 2010-10-25 02:43 · Score: 2, Informative
  
  You are missing the point.
  The problem is not reading the password as plaintext from the cookie (now that would be monumentally stupid design) but that since the cookie equals valid session authentication copying the cookie equals session hijacking (or sidejacking since the original cookie is still there on the original users machine).
8. Re:Use md5 (or something) over the wire by PatPending · 2010-10-25 03:24 · Score: 2, Funny
  
  md5 the password with Javascript on the client end before sending it. Then un-md5 it with PHP on the server.
  Or use quad-ROT13 instead.
  
  --
  What one fool can do, another can. (Ancient Simian Proverb)
9. Re:Use md5 (or something) over the wire by nomorecwrd · 2010-10-25 06:49 · Score: 2, Funny
  
  Bettter yet 1024-ROT13... it's a little time consuming, but totally worth it.
My comments by formfeed · 2010-10-25 02:02 · Score: 2, Funny

I'd like to declare that all comments under my user name that are controversial or could get me in trouble were made by someone else.
Someone, who obviously must have sniffed out my wireless cookies. -Shame on them.
Re:https everywhere by anti-pop-frustration · 2010-10-25 02:19 · Score: 4, Interesting

https everywhere is indeed a great extension, and everybody should be using it.

But some of the services that Firesheep target don't offer an https option *at all*. This is no rebuttal, it only proves Firesheep developer's point : these services have an unappropriate level of security.

The worst offender is probably Yahoo! Mail. They don't even offer https to their paying customers! For one of the leading webmail service this is utterly unacceptable. https for login is a fig leaf, the only thing this does is give users a false sense of security.
Re:What permissions do you need ? by Stray7Xi · 2010-10-25 02:28 · Score: 3, Informative

What permissions do you need for this? Do you have to be the owner of the network in order to sniff things out in this manner? Or is it possible for me to steal accounts off a public network?
You need to be administrator to place your network card into promiscious mode or rfmon for wireless.
So in a public wifi network you're screwed. In a public ethernet network it depends if it's a switched or hubbed network. But even in a switched network you could be vulnerable to this via ARP poisoning.
The takeaway is what we've known for decades, if you want private communications use encryption.
KB SSL Enforcer by brunes69 · 2010-10-25 02:57 · Score: 2, Interesting

This is why I use this Chrome extension - https://chrome.google.com/extensions/detail/flcpelgcagfhfoegekianiofphddckof
Basically for any site you go to it AUTOMATICALLY redirects you to the SSL version of that site if it exists. Including ssl.facebook.com.
Yes ssl.facebook.com should be the default, as should most sites, but until they are this extension is invaluable IMO.