Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Extension Makes Social-Network ID Spoofing Trivial

Posted by timothy on from the plausible-deniability-for-farmville dept.

Orome1 writes "A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point. 'When it comes to user privacy, SSL is the elephant in the room,' said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can 'sniff out' the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user."

36 of 185 comments (clear)

  1. Illegal? by Anonymous Coward · · Score: 5, Informative

    I don't dispute author's work or goals (I've been using SSH tunneling on public WiFi for years to prevent just this) but he should have mentioned that clicking on information you gathered (and logging in as another user without their concent) is very likely against federal laws in US (and likely most other locations). Just gathering this information can likely be argued to be illegal as well (wiretapping?)

    So be careful where you click..

    1. Re:Illegal? by Romberg · · Score: 3, Funny

      yeah, like I'm gonna click on your link.....

  2. First haxx! by Anonymous Coward · · Score: 4, Funny

    Ha ha, anon is pwned :D

    1. Re:First haxx! by Anonymous Coward · · Score: 5, Funny

      WTF !, this guy is logged in as me !

  3. A better explaination by buchner.johannes · · Score: 5, Informative

    here: http://codebutler.com/firesheep

    They apparently call it "sidejacking", i.e. sniffing other users cookies from a wifi, and using it. Not new, but made userfriendly.

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    1. Re:A better explaination by thomst · · Score: 3, Informative

      here: http://codebutler.com/firesheep.

      Steve Manuel of TechCrunch claims that the Force-TLS 2.0 Firefox extension can defeat Firesheep. (You have to configure it manually for each site you want to protect, though, so it's somewhat of a PITA.)

      Another option is the HTTPS Everywhere Firefox extension from EFF and the Tor Project. Although HTTPS Everywhere has a predefined ruleset that includes some of the most popular Web sites, you'll still have to write your own ruleset for any site not on their default list.

      --
      Check out my novel.
  4. and this is news ? by Torvac · · Score: 3, Insightful

    someone in the same network sniffing your unencrypted traffic is facebooks fault ? or the fact that someone made a UI to do it for dummies ?

    1. Re:and this is news ? by Anonymous Coward · · Score: 5, Insightful

      the fact that it's unencrypted is facebooks fault, it's not hard to push everything through HTTPS, there's no excuse these days

    2. Re:and this is news ? by Ephemeriis · · Score: 5, Insightful

      someone in the same network sniffing your unencrypted traffic is facebooks fault ?
      or the fact that someone made a UI to do it for dummies ?

      The fact that it is unencrypted is, yes.

      --
      "Work is the curse of the drinking classes." -Oscar Wilde
    3. Re:and this is news ? by Anrego · · Score: 3, Insightful

      users will begin a mass exodus once more and more articles about the dangers of Facebook are written and IT Professionals and techies begin informing everyone that using Facebook is dangerous especially on a Winblows PC.

      Oh you can't seriously believe that!

      People have been screaming at the top of their lungs about how insecure facebook is and what they do with your information for years. Your average user just doesn't care as long as they can keep playing farmville!

    4. Re:and this is news ? by PopeRatzo · · Score: 4, Insightful

      Their only income stream is selling private information.

      Good point.

      I'm surprised so many people are upset about people stealing their private information, but have no problem with someone buying and selling their private information.

      --
      You are welcome on my lawn.
    5. Re:and this is news ? by Aqualung812 · · Score: 4, Informative

      You have the choice - if you visit https://facebook.com/ it will let you run your entire session on the site in https. They obviously support SSL for those who want it... I fail to see how it's their fault?

      Follow the link you attached. Log into Facebook. Click the Facebook icon on that page to return to your home page, or click on a link to a fan page you have, or click on a link to a friend's page. You just went from SSL to HTTP. They make it hard to STAY on SSL, even if you go through the work of going there manually.

      --
      Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
  5. Why no encryption? by AHuxley · · Score: 3, Interesting

    What is the cpu use and heat of the user base requesting and using ssl vs this bad news?
    "Double-click on someone, and you're instantly logged in as them."
    Whats the the extra use 15-20%? vs unencrypted HTTP.
    Would ssl been left off allow creative law enforcement uses?

    --
    Domestic spying is now "Benign Information Gathering"
    1. Re:Why no encryption? by betterunixthanunix · · Score: 4, Funny

      Facebook's servers are too busy violating your privacy to handle the extra load of encryption ;)

      --
      Palm trees and 8
    2. Re:Why no encryption? by maxume · · Score: 5, Informative

      When Google switched Gmail over to HTTPS all the time for everything, they found it accounted for 1% of CPU load:

      http://unblog.pidster.com/imperialviolet-overclocking-ssl?c=1

      So Facebook probably wouldn't need to do much more than get their software set right.

      --
      Nerd rage is the funniest rage.
    3. Re:Why no encryption? by cerberusss · · Score: 4, Funny

      Facebook's servers are too busy violating your privacy to handle the extra load of encryption ;)

      Facebooks servers were hanging around in a dark alley one faithful night. My privacy just happened to think that particular night, let's take the shorter route home. It's as if Facebooks servers sniffed she was coming, despite her high privacy settings. They libpcaptured her, then stripped all of her headers and checksums, right to her to the bare profile while taunting her loudly. Some traffic just passed by without doing anything. My privacy was violated again, and again and Facebooks servers just kept going and going. Then they left my privacy "face"-down in a shallow ditch, some shreds of unique ROWIDs covering her bloodsoaked profile.

      --
      8 of 13 people found this answer helpful. Did you?
  6. Another point is not "missing the point" by Chriscypher · · Score: 5, Insightful

    squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point.

    Another point does not "miss the point".

    Transport security != corporate marketing of private data

    --
    "You have liberated me from thought."
  7. Promiscuous mode on any adapter? by SpinningCone · · Score: 5, Interesting

    I used to do sniffing and stuff like this a couple years ago and the biggest hurdle was finding a wireless adapter which would allow promiscuous mode. aircrack sells one that comes with 1st party drivers to allow sniffing. I used a linksys usb adapter since there were 3rd party drivers that allowed it.

    unless something has changed I thought most wireless driver didn't support promiscuous mode for sniffing.

  8. How does it work? by pinkeen · · Score: 3, Interesting

    The article is extremely light on details. The plugin's page doesn't tell much either. I'm curious how does it capture the WIFI packets. Is it possible to capture them when not in monitor mode?

    1. Re:How does it work? by will_die · · Score: 3, Informative

      You first need to installWinPcap this is the program that does the actual work. You then log on to the wifi, using password if required, and the program starts looking for know cookies. If it finds them it captures the info and gives you a nice userfriendly way of using them.
      It can capture the wifi since anyone can capture them if you are within range of the transmissions. You if you are not monitoring when the signals go out you cannot capture them.

    2. Re:How does it work? by pinkeen · · Score: 3, Interesting

      That wasn't my question. When in monitor (promiscous) mode, adapter can capture but cannot associate and give you internet connection. So, when you capture packets you need another wlan adapter or ethernet nic for your internet conncetion to actually use this stolen cookies. There's no mention of it on the site. So I wondered that maybe the plugin does some magic and captures packets while the same adapter is associated with an ap.

  9. No HTTPS encryption by DrYak · · Score: 4, Insightful

    Kudos to FaceBook and most other networks for NOT using encryption for anything but the log in, making such hacks possible !
    I know that HTTPS would put some stress on the servers, specially with something as big as Facebook.
    But, come-on. Social networks have become so important for some people, that the risks of vandalism/identiy spoof/deffamation, etc. are significant and would benefit from some more protection.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
    1. Re:No HTTPS encryption by muckracer · · Score: 4, Informative

      > Kudos to FaceBook and most other networks for NOT using encryption for anything but the log in [--DrYak]

      > I still have to manually change http to https in the URL every time they decide to sign me off. [--cindyann]

      Install the HTTPS-Everywhere FF Plugin. It will SSL-encrypt Facebook and a host of other domains. Only draw-back: Chat doesn't work via SSL atm.

      https://www.eff.org/https-everywhere

      And while you're at it, also install the BetterPrivacy Add-on:

      https://addons.mozilla.org/en-US/firefox/addon/6623/

      which will get rid of the LSO cookie Facebook sets each time you use it. Best used in conjunction with AskforSanitize.

    2. Re:No HTTPS encryption by lavagolemking · · Score: 4, Informative

      Facebook does submit your information over HTTPS; they just load the page over HTTP by default. Passive sniffing won't work on it. Here, take a look at the following code from http://www.facebook.com/:

      <form method="POST" action="https://login.facebook.com/login.php?login_attempt=1" id="login_form">

      The problem with this approach is, while it saves server resources, an attacker could trivially perform a man-in-the-middle attack on an average person connecting to http://www.facebook.com/ rewriting the above code to HTTP or running a squid proxy or something, and they would never notice because their browser says "http" like always.

      That said, if you're worried about it you could always install HTTPS Everywhere and it will make Facebook always load using SSL.

    3. Re:No HTTPS encryption by Confusador · · Score: 3, Insightful

      There's a world of difference between having a fallback for those who can't use the secure site (with a warning that it is not secure, even) and not having an option for those who can.

  10. Cookie theft by Securityemo · · Score: 5, Insightful

    It's "just" WiFi cookie theft. You can do that easily with wireshark and copy/paste, this just makes it a bit faster. The problem lies in session cookies, and this is a problem known for what, almost a decade now?

    --
    Emotions! In your brain!
  11. Re:Am I the only one who finds it amusing... by betterunixthanunix · · Score: 3, Informative

    To be fair, most of those people do not actually care. There is a small minority of users who do care, but for some reason continue to use those websites; the rest just want to follow the crowd without stopping to question anything.

    --
    Palm trees and 8
  12. Re:What permissions do you need ? by mbone · · Score: 3, Informative

    What permissions do you need for this? Do you have to be the owner of the network in order to sniff things out in this manner? Or is it possible for me to steal accounts off a public network?

    None, no, and most emphatically yes.

  13. Re:Other People in the Room by statusbar · · Score: 3, Insightful

    How many people use wireless at a conference, or a coffee shop, or a hotel?

    --
    ipv6 is my vpn
  14. Re:https everywhere by skywatcher2501 · · Score: 3, Informative

    And here's the link: https://www.eff.org/https-everywhere

  15. Use md5 (or something) over the wire by Compaqt · · Score: 3, Informative

    Leaving aside md5 cracks (use another algo if you want):

    md5 the password with Javascript on the client end before sending it. Then un-md5 it with PHP on the server.

    Plenty of security-conscious CMS's have been doing this before Mark Z even thought of an electronic facebook.

    --
    I'm not a lawyer, but I play one on the Internet. Blog
    1. Re:Use md5 (or something) over the wire by gmurray · · Score: 5, Insightful

      furthermore the entire usefulness of md5 is that you can't un-md5 it ;-)

    2. Re:Use md5 (or something) over the wire by Culture20 · · Score: 4, Funny

      md5 is a hash algorithm. How would that help? If someone can snoop your md5 hash they can replay it to gain access to the server, and then change your password (provided the server doesn't provide a challenge to perform this action). All md5 does is protect your actual password, which is small protection if your account can be illicitly accessed anyway. None of these services send a password in plaintext (hopefully). That isn't the issue. The issue is that they use replayable tokens and don't use encryption to send them on the wire.

      Well, then md5 the hash. It's just like using triple-DES or double rot-13 (one of the two, or maybe a happy middle-ground). ;)

    3. Re:Use md5 (or something) over the wire by jwietelmann · · Score: 4, Informative

      Hash = 1-way crypto

      The only way to "un-md5" anything is to crack it. Also, I'm not sure you actually put any real thought into this.

      Since it's best practice to store only password hashes (and not the passwords themselves) in your database (or whatever), your process is apparently:

      1. Client md5's the password, sends it to server
      2. Server "un-md5"s the password (let's say for argument's sake that this makes perfect sense)
      3. Server md5's the un-md5'd password
      4. Server checks hash against user's hash in the database
  16. Re:https everywhere by anti-pop-frustration · · Score: 4, Interesting

    https everywhere is indeed a great extension, and everybody should be using it.

    But some of the services that Firesheep target don't offer an https option *at all*. This is no rebuttal, it only proves Firesheep developer's point : these services have an unappropriate level of security.

    The worst offender is probably Yahoo! Mail. They don't even offer https to their paying customers! For one of the leading webmail service this is utterly unacceptable. https for login is a fig leaf, the only thing this does is give users a false sense of security.

  17. Re:What permissions do you need ? by Stray7Xi · · Score: 3, Informative

    What permissions do you need for this? Do you have to be the owner of the network in order to sniff things out in this manner? Or is it possible for me to steal accounts off a public network?

    You need to be administrator to place your network card into promiscious mode or rfmon for wireless.

    So in a public wifi network you're screwed. In a public ethernet network it depends if it's a switched or hubbed network. But even in a switched network you could be vulnerable to this via ARP poisoning.

    The takeaway is what we've known for decades, if you want private communications use encryption.