Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Extension Makes Social-Network ID Spoofing Trivial

Posted by timothy on from the plausible-deniability-for-farmville dept.

Orome1 writes "A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point. 'When it comes to user privacy, SSL is the elephant in the room,' said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can 'sniff out' the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user."

10 of 185 comments (clear)

  1. Illegal? by Anonymous Coward · · Score: 5, Informative

    I don't dispute author's work or goals (I've been using SSH tunneling on public WiFi for years to prevent just this) but he should have mentioned that clicking on information you gathered (and logging in as another user without their concent) is very likely against federal laws in US (and likely most other locations). Just gathering this information can likely be argued to be illegal as well (wiretapping?)

    So be careful where you click..

  2. A better explaination by buchner.johannes · · Score: 5, Informative

    here: http://codebutler.com/firesheep

    They apparently call it "sidejacking", i.e. sniffing other users cookies from a wifi, and using it. Not new, but made userfriendly.

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  3. Re:First haxx! by Anonymous Coward · · Score: 5, Funny

    WTF !, this guy is logged in as me !

  4. Re:and this is news ? by Anonymous Coward · · Score: 5, Insightful

    the fact that it's unencrypted is facebooks fault, it's not hard to push everything through HTTPS, there's no excuse these days

  5. Re:and this is news ? by Ephemeriis · · Score: 5, Insightful

    someone in the same network sniffing your unencrypted traffic is facebooks fault ?
    or the fact that someone made a UI to do it for dummies ?

    The fact that it is unencrypted is, yes.

    --
    "Work is the curse of the drinking classes." -Oscar Wilde
  6. Another point is not "missing the point" by Chriscypher · · Score: 5, Insightful

    squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point.

    Another point does not "miss the point".

    Transport security != corporate marketing of private data

    --
    "You have liberated me from thought."
  7. Promiscuous mode on any adapter? by SpinningCone · · Score: 5, Interesting

    I used to do sniffing and stuff like this a couple years ago and the biggest hurdle was finding a wireless adapter which would allow promiscuous mode. aircrack sells one that comes with 1st party drivers to allow sniffing. I used a linksys usb adapter since there were 3rd party drivers that allowed it.

    unless something has changed I thought most wireless driver didn't support promiscuous mode for sniffing.

  8. Cookie theft by Securityemo · · Score: 5, Insightful

    It's "just" WiFi cookie theft. You can do that easily with wireshark and copy/paste, this just makes it a bit faster. The problem lies in session cookies, and this is a problem known for what, almost a decade now?

    --
    Emotions! In your brain!
  9. Re:Why no encryption? by maxume · · Score: 5, Informative

    When Google switched Gmail over to HTTPS all the time for everything, they found it accounted for 1% of CPU load:

    http://unblog.pidster.com/imperialviolet-overclocking-ssl?c=1

    So Facebook probably wouldn't need to do much more than get their software set right.

    --
    Nerd rage is the funniest rage.
  10. Re:Use md5 (or something) over the wire by gmurray · · Score: 5, Insightful

    furthermore the entire usefulness of md5 is that you can't un-md5 it ;-)