Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Extension Makes Social-Network ID Spoofing Trivial

Posted by timothy on from the plausible-deniability-for-farmville dept.

Orome1 writes "A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point. 'When it comes to user privacy, SSL is the elephant in the room,' said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can 'sniff out' the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user."

21 of 185 comments (clear)

  1. Illegal? by Anonymous Coward · · Score: 5, Informative

    I don't dispute author's work or goals (I've been using SSH tunneling on public WiFi for years to prevent just this) but he should have mentioned that clicking on information you gathered (and logging in as another user without their concent) is very likely against federal laws in US (and likely most other locations). Just gathering this information can likely be argued to be illegal as well (wiretapping?)

    So be careful where you click..

  2. First haxx! by Anonymous Coward · · Score: 4, Funny

    Ha ha, anon is pwned :D

    1. Re:First haxx! by Anonymous Coward · · Score: 5, Funny

      WTF !, this guy is logged in as me !

  3. A better explaination by buchner.johannes · · Score: 5, Informative

    here: http://codebutler.com/firesheep

    They apparently call it "sidejacking", i.e. sniffing other users cookies from a wifi, and using it. Not new, but made userfriendly.

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  4. Re:and this is news ? by Anonymous Coward · · Score: 5, Insightful

    the fact that it's unencrypted is facebooks fault, it's not hard to push everything through HTTPS, there's no excuse these days

  5. Re:and this is news ? by Ephemeriis · · Score: 5, Insightful

    someone in the same network sniffing your unencrypted traffic is facebooks fault ?
    or the fact that someone made a UI to do it for dummies ?

    The fact that it is unencrypted is, yes.

    --
    "Work is the curse of the drinking classes." -Oscar Wilde
  6. Another point is not "missing the point" by Chriscypher · · Score: 5, Insightful

    squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point.

    Another point does not "miss the point".

    Transport security != corporate marketing of private data

    --
    "You have liberated me from thought."
  7. Promiscuous mode on any adapter? by SpinningCone · · Score: 5, Interesting

    I used to do sniffing and stuff like this a couple years ago and the biggest hurdle was finding a wireless adapter which would allow promiscuous mode. aircrack sells one that comes with 1st party drivers to allow sniffing. I used a linksys usb adapter since there were 3rd party drivers that allowed it.

    unless something has changed I thought most wireless driver didn't support promiscuous mode for sniffing.

  8. Re:Why no encryption? by betterunixthanunix · · Score: 4, Funny

    Facebook's servers are too busy violating your privacy to handle the extra load of encryption ;)

    --
    Palm trees and 8
  9. No HTTPS encryption by DrYak · · Score: 4, Insightful

    Kudos to FaceBook and most other networks for NOT using encryption for anything but the log in, making such hacks possible !
    I know that HTTPS would put some stress on the servers, specially with something as big as Facebook.
    But, come-on. Social networks have become so important for some people, that the risks of vandalism/identiy spoof/deffamation, etc. are significant and would benefit from some more protection.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
    1. Re:No HTTPS encryption by muckracer · · Score: 4, Informative

      > Kudos to FaceBook and most other networks for NOT using encryption for anything but the log in [--DrYak]

      > I still have to manually change http to https in the URL every time they decide to sign me off. [--cindyann]

      Install the HTTPS-Everywhere FF Plugin. It will SSL-encrypt Facebook and a host of other domains. Only draw-back: Chat doesn't work via SSL atm.

      https://www.eff.org/https-everywhere

      And while you're at it, also install the BetterPrivacy Add-on:

      https://addons.mozilla.org/en-US/firefox/addon/6623/

      which will get rid of the LSO cookie Facebook sets each time you use it. Best used in conjunction with AskforSanitize.

    2. Re:No HTTPS encryption by lavagolemking · · Score: 4, Informative

      Facebook does submit your information over HTTPS; they just load the page over HTTP by default. Passive sniffing won't work on it. Here, take a look at the following code from http://www.facebook.com/:

      <form method="POST" action="https://login.facebook.com/login.php?login_attempt=1" id="login_form">

      The problem with this approach is, while it saves server resources, an attacker could trivially perform a man-in-the-middle attack on an average person connecting to http://www.facebook.com/ rewriting the above code to HTTP or running a squid proxy or something, and they would never notice because their browser says "http" like always.

      That said, if you're worried about it you could always install HTTPS Everywhere and it will make Facebook always load using SSL.

  10. Cookie theft by Securityemo · · Score: 5, Insightful

    It's "just" WiFi cookie theft. You can do that easily with wireshark and copy/paste, this just makes it a bit faster. The problem lies in session cookies, and this is a problem known for what, almost a decade now?

    --
    Emotions! In your brain!
  11. Re:Why no encryption? by maxume · · Score: 5, Informative

    When Google switched Gmail over to HTTPS all the time for everything, they found it accounted for 1% of CPU load:

    http://unblog.pidster.com/imperialviolet-overclocking-ssl?c=1

    So Facebook probably wouldn't need to do much more than get their software set right.

    --
    Nerd rage is the funniest rage.
  12. Re:and this is news ? by PopeRatzo · · Score: 4, Insightful

    Their only income stream is selling private information.

    Good point.

    I'm surprised so many people are upset about people stealing their private information, but have no problem with someone buying and selling their private information.

    --
    You are welcome on my lawn.
  13. Re:Use md5 (or something) over the wire by gmurray · · Score: 5, Insightful

    furthermore the entire usefulness of md5 is that you can't un-md5 it ;-)

  14. Re:https everywhere by anti-pop-frustration · · Score: 4, Interesting

    https everywhere is indeed a great extension, and everybody should be using it.

    But some of the services that Firesheep target don't offer an https option *at all*. This is no rebuttal, it only proves Firesheep developer's point : these services have an unappropriate level of security.

    The worst offender is probably Yahoo! Mail. They don't even offer https to their paying customers! For one of the leading webmail service this is utterly unacceptable. https for login is a fig leaf, the only thing this does is give users a false sense of security.

  15. Re:and this is news ? by Aqualung812 · · Score: 4, Informative

    You have the choice - if you visit https://facebook.com/ it will let you run your entire session on the site in https. They obviously support SSL for those who want it... I fail to see how it's their fault?

    Follow the link you attached. Log into Facebook. Click the Facebook icon on that page to return to your home page, or click on a link to a fan page you have, or click on a link to a friend's page. You just went from SSL to HTTP. They make it hard to STAY on SSL, even if you go through the work of going there manually.

    --
    Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
  16. Re:Use md5 (or something) over the wire by Culture20 · · Score: 4, Funny

    md5 is a hash algorithm. How would that help? If someone can snoop your md5 hash they can replay it to gain access to the server, and then change your password (provided the server doesn't provide a challenge to perform this action). All md5 does is protect your actual password, which is small protection if your account can be illicitly accessed anyway. None of these services send a password in plaintext (hopefully). That isn't the issue. The issue is that they use replayable tokens and don't use encryption to send them on the wire.

    Well, then md5 the hash. It's just like using triple-DES or double rot-13 (one of the two, or maybe a happy middle-ground). ;)

  17. Re:Use md5 (or something) over the wire by jwietelmann · · Score: 4, Informative

    Hash = 1-way crypto

    The only way to "un-md5" anything is to crack it. Also, I'm not sure you actually put any real thought into this.

    Since it's best practice to store only password hashes (and not the passwords themselves) in your database (or whatever), your process is apparently:

    1. Client md5's the password, sends it to server
    2. Server "un-md5"s the password (let's say for argument's sake that this makes perfect sense)
    3. Server md5's the un-md5'd password
    4. Server checks hash against user's hash in the database
  18. Re:Why no encryption? by cerberusss · · Score: 4, Funny

    Facebook's servers are too busy violating your privacy to handle the extra load of encryption ;)

    Facebooks servers were hanging around in a dark alley one faithful night. My privacy just happened to think that particular night, let's take the shorter route home. It's as if Facebooks servers sniffed she was coming, despite her high privacy settings. They libpcaptured her, then stripped all of her headers and checksums, right to her to the bare profile while taunting her loudly. Some traffic just passed by without doing anything. My privacy was violated again, and again and Facebooks servers just kept going and going. Then they left my privacy "face"-down in a shallow ditch, some shreds of unique ROWIDs covering her bloodsoaked profile.

    --
    8 of 13 people found this answer helpful. Did you?