Firefox Extension Makes Social-Network ID Spoofing Trivial 185
Orome1 writes "A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point. 'When it comes to user privacy, SSL is the elephant in the room,' said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can 'sniff out' the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user."
Illegal? (Score:5, Informative)
I don't dispute author's work or goals (I've been using SSH tunneling on public WiFi for years to prevent just this) but he should have mentioned that clicking on information you gathered (and logging in as another user without their concent) is very likely against federal laws in US (and likely most other locations). Just gathering this information can likely be argued to be illegal as well (wiretapping?)
So be careful where you click..
Use md5 (or something) over the wire (Score:3, Informative)
Leaving aside md5 cracks (use another algo if you want):
md5 the password with Javascript on the client end before sending it. Then un-md5 it with PHP on the server.
Plenty of security-conscious CMS's have been doing this before Mark Z even thought of an electronic facebook.
Re: (Score:2, Insightful)
Re:Use md5 (or something) over the wire (Score:5, Insightful)
Re: (Score:2)
Or, depending on who you are, the usefulness might be that no-one else can.
Re:Use md5 (or something) over the wire (Score:5, Funny)
md5 is a hash algorithm. How would that help? If someone can snoop your md5 hash they can replay it to gain access to the server, and then change your password (provided the server doesn't provide a challenge to perform this action). All md5 does is protect your actual password, which is small protection if your account can be illicitly accessed anyway. None of these services send a password in plaintext (hopefully). That isn't the issue. The issue is that they use replayable tokens and don't use encryption to send them on the wire.
Well, then md5 the hash. It's just like using triple-DES or double rot-13 (one of the two, or maybe a happy middle-ground). ;)
Re: (Score:2)
Sorry, man, you caught me. Lesson: Don't post while drowsy.
un-md5?
Is that slated to be the next Slashdot meme?
Re: (Score:2)
Re: (Score:2, Informative)
Re: (Score:2)
Did I really say un-md5 ?!! Sorry, I meant "compare the hash sent by the client to that saved in the DB".
Even so, this technique uses cookies, and not the password or hash. (Note to self: Read the articles!)
Typo3 is one CMS that you can set to check the incoming IP and make sure it's the same as the IP that originally authenticated.
Drupal 6 is abysmal in that it doesn't even use salt; probably half the passwords in table users are likely to be in an md5 database somewhere.
Re: (Score:2)
"Typo3 is one CMS that you can set to check the incoming IP and make sure it's the same as the IP that originally authenticated."
If you snatched someone's cookies over free WiFi at a coffeehouse, you probably HAVE the same IP address as they do, since all the server sees is the coffeehouse's gateway IP address.
IOW, that won't help either.
Re: (Score:2)
Re: (Score:2, Insightful)
This won't work as the extension sniffs out cookies, not passwords.
Even then, this won't help as the extension could be changed to sniff the hashed password (it's just send as plain text over HTTP), and send that hash itself.
Re: (Score:2)
"If you snatched someone's cookies over free WiFi at a coffeehouse, you probably HAVE the same IP address as they do, since all the server sees is the coffeehouse's gateway IP address."
"Even then, this won't help as the extension could be changed to sniff the hashed password (it's just send as plain text over HTTP), and send that hash itself."
All this talk of sniffing cookies and hash has got my stomach rumbling.
Enough already.
Re:Use md5 (or something) over the wire (Score:5, Informative)
Hash = 1-way crypto
The only way to "un-md5" anything is to crack it. Also, I'm not sure you actually put any real thought into this.
Since it's best practice to store only password hashes (and not the passwords themselves) in your database (or whatever), your process is apparently:
Re: (Score:2, Informative)
You are missing the point.
The problem is not reading the password as plaintext from the cookie (now that would be monumentally stupid design) but that since the cookie equals valid session authentication copying the cookie equals session hijacking (or sidejacking since the original cookie is still there on the original users machine).
Re: (Score:2)
By now you may have seen my follow-up that I mistyped when I said "un-md5" (meant compare hashes on the server).
But I disagree that all logins (even for large sites) are encrypted.
For example, I use Slashdot just fine without JavaScript. I haven't checked the source, but the standard HTML FORM element doesn't encrypt anything when sending form submissions over the network. So the password must obviously be sent (at least the first time) in the clear.
That's why I was encouraging people to md5 their passwords
Re: (Score:3, Funny)
md5 the password with Javascript on the client end before sending it. Then un-md5 it with PHP on the server.
Or use quad-ROT13 instead.
Re: (Score:3, Funny)
Re: (Score:2)
Leaving aside md5 cracks, WTF do you mean by "un-md5 it"? You can't do that!
Re: (Score:2)
Please somebody mod my original post [slashdot.org] as Funny and not Informative to avoid future PHP-Nukes.
What you actually need to do at the very least is:
1. md5 [slashdot.org] (or another algo) with Javascript on the client and compare that hash to the one saved in the DB. If the password is stored in cleartext (which it shouldn't be, but sometimes external systems are out of your control), md5 [php.net] it with PHP.
2. Some people use SSL on the login page.
3. But this attack shows crackers just intercepting an replaying the creds. Discouraging
Re: (Score:3, Funny)
First haxx! (Score:4, Funny)
Ha ha, anon is pwned :D
Re:First haxx! (Score:5, Funny)
WTF !, this guy is logged in as me !
My comments (Score:3, Funny)
Someone, who obviously must have sniffed out my wireless cookies. -Shame on them.
Re: (Score:2, Funny)
Remind me to change the combination to my luggage.
A better explaination (Score:5, Informative)
here: http://codebutler.com/firesheep [codebutler.com]
They apparently call it "sidejacking", i.e. sniffing other users cookies from a wifi, and using it. Not new, but made userfriendly.
Other People in the Room (Score:3, Insightful)
the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point.
I'm much more concerned about that then someone on my network stealing my password. If they're on my network, they could steal my password? This is not new, nor is it news. The number of people on the internet out to get your personal information is much, much higher than the number of people on your network out to do the same.
This is just a high-tech version of this:
'When it comes to user privacy, other people are the elephant in the room,' said SudoGhost, random douchebag author of the post in question, dubbed 'Other People in the Room'. By being in the room and watching the screen/keyboard, anyone can 'sniff out' not only the unencrypted HTTP sessions, but virtually any keystroke, allowing your mom to access social networks, online services and other website requiring a login, and simply hijack them and find out where you really were Saturday night."
Re:Other People in the Room (Score:4, Insightful)
How many people use wireless at a conference, or a coffee shop, or a hotel?
Re: (Score:2)
Of course not, unless you are accessing the net via VPN, or SSH tunnel to a proxy, or of course when you are running firesheep...
No HTTPS encryption (Score:5, Insightful)
Kudos to FaceBook and most other networks for NOT using encryption for anything but the log in, making such hacks possible !
I know that HTTPS would put some stress on the servers, specially with something as big as Facebook.
But, come-on. Social networks have become so important for some people, that the risks of vandalism/identiy spoof/deffamation, etc. are significant and would benefit from some more protection.
Re: (Score:3, Interesting)
Do they have any guarantee that all of their users have a browser that supports HTTPS?
To Facebook, it's better to allow access to as many users as possible, than lock some out in the name of security.
Re:No HTTPS encryption (Score:4, Insightful)
There's a world of difference between having a fallback for those who can't use the secure site (with a warning that it is not secure, even) and not having an option for those who can.
Re: (Score:3, Informative)
http://m.facebook.com/ [facebook.com] ...not saying the mobile browsers can't have the security, just that "hope" isn't required to render Facebook without js.
And apparently such access is quite popular - there were some news from FB itself about explosive growth; also according to stats of Opera Mini [opera.com] (the #1 mobile web browser worldwide by site hits, despite many of its users being evidently rather frugal with numbers of sites visited / data transferred), Facebook is quite often near the top of popularity.
Re: (Score:2)
You don't even need HTTPS. HTTP already supports authentication mechanisms. If we'd use digest authentication for logins then we wouldn't have to bother with cookies at all. Unfortunately, there's no way to make a pretty login page for digest (or plain) authentication. The browser pops up a username/password dialog instead. Therefore, web sites avoid it and opt instead for the mess of cookies and all their security issues.
Re:No HTTPS encryption (Score:5, Informative)
> Kudos to FaceBook and most other networks for NOT using encryption for anything but the log in [--DrYak]
> I still have to manually change http to https in the URL every time they decide to sign me off. [--cindyann]
Install the HTTPS-Everywhere FF Plugin. It will SSL-encrypt Facebook and a host of other domains. Only draw-back: Chat doesn't work via SSL atm.
https://www.eff.org/https-everywhere [eff.org]
And while you're at it, also install the BetterPrivacy Add-on:
https://addons.mozilla.org/en-US/firefox/addon/6623/ [mozilla.org]
which will get rid of the LSO cookie Facebook sets each time you use it. Best used in conjunction with AskforSanitize.
Re:No HTTPS encryption (Score:4, Informative)
Facebook does submit your information over HTTPS; they just load the page over HTTP by default. Passive sniffing won't work on it. Here, take a look at the following code from http://www.facebook.com/ [facebook.com]:
<form method="POST" action="https://login.facebook.com/login.php?login_attempt=1" id="login_form">
The problem with this approach is, while it saves server resources, an attacker could trivially perform a man-in-the-middle attack on an average person connecting to http://www.facebook.com/ [facebook.com] rewriting the above code to HTTP or running a squid proxy or something, and they would never notice because their browser says "http" like always.
That said, if you're worried about it you could always install HTTPS Everywhere [eff.org] and it will make Facebook always load using SSL.
Re: (Score:2)
Re:A better explaination (Score:4, Informative)
here: http://codebutler.com/firesheep [codebutler.com].
Steve Manuel of TechCrunch claims that the Force-TLS 2.0 [mozilla.org] Firefox extension can defeat Firesheep. (You have to configure it manually for each site you want to protect, though, so it's somewhat of a PITA.)
Another option is the HTTPS Everywhere [eff.org] Firefox extension from EFF and the Tor Project. Although HTTPS Everywhere has a predefined ruleset that includes some of the most popular Web sites, you'll still have to write your own ruleset [eff.org] for any site not on their default list.
Re: (Score:2)
and this is news ? (Score:3, Insightful)
Re:and this is news ? (Score:5, Insightful)
the fact that it's unencrypted is facebooks fault, it's not hard to push everything through HTTPS, there's no excuse these days
Re: (Score:3, Informative)
While I'm inclined to agree that any remotely commercial website should offer and default to encrypted transfers, it also serves you right if you use a service that doesn't encrypt everything. Using a service that doesn't at least offer you the option of encryption is akin to driving a car that you know has defective brakes (ha, car analogy!). If shit goes badly and you knew better, you've no one to blame but yourself. If you didn't know better, it's your own fault for not educating yourself about such b
Re: (Score:2)
But for facebooks loadsize it's not a matter of signing up with digicert and enabling SSL.
Problems can be solved with money. Their only income stream is selling private information. Therefore:
Scenario one, your privacy is lost because they sell it to someone with money to pay for the dedicated SSL hardware cluster.
Scenario two, your privacy is lost because semi-smart people skimmed it away.
Since the end result is about the same, I'd rather reward the smart people than the greedy/rich people.
Re:and this is news ? (Score:5, Insightful)
Good point.
I'm surprised so many people are upset about people stealing their private information, but have no problem with someone buying and selling their private information.
Re:and this is news ? (Score:4, Insightful)
users will begin a mass exodus once more and more articles about the dangers of Facebook are written and IT Professionals and techies begin informing everyone that using Facebook is dangerous especially on a Winblows PC.
Oh you can't seriously believe that!
People have been screaming at the top of their lungs about how insecure facebook is and what they do with your information for years. Your average user just doesn't care as long as they can keep playing farmville!
Re: (Score:2)
"not hard". Well maybe not for your blog with 2 users per week. But for facebooks loadsize it's not a matter of signing up with digicert and enabling SSL.
Facebook's issue isn't buying & installing a certificate, it's that they have so much web traffic that the CPU load of encrypting all that traffic (or buying dedicated encryption acceleration hardware) is significant.
He needs to do more than get a certificate and add it to his server. He also has to buy more hardware to deal with the extra load that this will add.
Re:and this is news ? (Score:5, Insightful)
someone in the same network sniffing your unencrypted traffic is facebooks fault ?
or the fact that someone made a UI to do it for dummies ?
The fact that it is unencrypted is, yes.
Re: (Score:2)
Wait, it's Facebooks' fault that you chose to browse their site unencrypted?
You have the choice - if you visit https://facebook.com/ [facebook.com] it will let you run your entire session on the site in https. They obviously support SSL for those who want it... I fail to see how it's their fault?
Re:and this is news ? (Score:5, Informative)
Follow the link you attached. Log into Facebook. Click the Facebook icon on that page to return to your home page, or click on a link to a fan page you have, or click on a link to a friend's page. You just went from SSL to HTTP. They make it hard to STAY on SSL, even if you go through the work of going there manually.
Re: (Score:2, Informative)
Re: (Score:2)
Should be encrypted by default. Should not be an unencrypted option.
Re: (Score:2)
Why is it anyone's "fault?" Who cares? It's Facebook for science's sake! It's all just pictures of people's kids and crap, it doesn't matter at all if someone logs on as me and posts nonsense!
[/perspective]
Re: (Score:2)
Why is it anyone's "fault?" Who cares? It's Facebook for science's sake! It's all just pictures of people's kids and crap*, it doesn't matter at all if someone logs on as me and posts nonsense!
[/perspective]
* that people have a general sense of being true. Great mischief can be done with data gathered, or accounts used/people impersonated.
It's news in that people STILL don't get it (Score:2)
The news is that still hardly anyone understands SSL or what it is for.
People like to see that little lock sign (or whatever obscure message their browser displays) when they log into their bank. But I sincerely doubt that the great majority of people have any idea that things like e-mail transactions can be routed over SSL or why that might be a good (i.e., critically important) idea.
Just scan your local neighborhood and look at (for an analogous example) how many people are still using WEP and thinking th
Re: (Score:2)
Email (IMAPS/SMTPS to your server) over SSL is nice but ultimately irrelevant, as you don't know if the rest of the path is encrypted. Only OpenPGP is safe.
WEP is similar; it's not a real protection, but stops the random kid trying to use your 'net to download stuff.
Why no encryption? (Score:4, Interesting)
"Double-click on someone, and you're instantly logged in as them."
Whats the the extra use 15-20%? vs unencrypted HTTP.
Would ssl been left off allow creative law enforcement uses?
Re:Why no encryption? (Score:5, Funny)
Re: (Score:2)
SSL can be delegated to a PCI-e crypto accelerator board. [oracle.com]
Perhap the same would work for privacy violation?
Re:Why no encryption? (Score:5, Informative)
When Google switched Gmail over to HTTPS all the time for everything, they found it accounted for 1% of CPU load:
http://unblog.pidster.com/imperialviolet-overclocking-ssl?c=1 [pidster.com]
So Facebook probably wouldn't need to do much more than get their software set right.
Re:Why no encryption? (Score:5, Funny)
Facebook's servers are too busy violating your privacy to handle the extra load of encryption ;)
Facebooks servers were hanging around in a dark alley one faithful night. My privacy just happened to think that particular night, let's take the shorter route home. It's as if Facebooks servers sniffed she was coming, despite her high privacy settings. They libpcaptured her, then stripped all of her headers and checksums, right to her to the bare profile while taunting her loudly. Some traffic just passed by without doing anything. My privacy was violated again, and again and Facebooks servers just kept going and going. Then they left my privacy "face"-down in a shallow ditch, some shreds of unique ROWIDs covering her bloodsoaked profile.
https everywhere (Score:2)
Plugin-rebuttal.
Re: (Score:3, Informative)
Re:https everywhere (Score:5, Interesting)
But some of the services that Firesheep target don't offer an https option *at all*. This is no rebuttal, it only proves Firesheep developer's point : these services have an unappropriate level of security.
The worst offender is probably Yahoo! Mail. They don't even offer https to their paying customers! For one of the leading webmail service this is utterly unacceptable. https for login is a fig leaf, the only thing this does is give users a false sense of security.
What permissions do you need ? (Score:2)
If its the former, then there's nothing too special - sniffers can do that already.
If its the latter, then its time to put on the tinfoil hats.
Re: (Score:2, Informative)
Re:What permissions do you need ? (Score:4, Informative)
What permissions do you need for this? Do you have to be the owner of the network in order to sniff things out in this manner? Or is it possible for me to steal accounts off a public network?
None, no, and most emphatically yes.
Re:What permissions do you need ? (Score:4, Informative)
What permissions do you need for this? Do you have to be the owner of the network in order to sniff things out in this manner? Or is it possible for me to steal accounts off a public network?
You need to be administrator to place your network card into promiscious mode [wikipedia.org] or rfmon for wireless.
So in a public wifi network you're screwed. In a public ethernet network it depends if it's a switched or hubbed network. But even in a switched network you could be vulnerable to this via ARP poisoning.
The takeaway is what we've known for decades, if you want private communications use encryption.
Another point is not "missing the point" (Score:5, Insightful)
Another point does not "miss the point".
Transport security != corporate marketing of private data
Re: (Score:2)
It also misses the point that Facebook is about *SHARING* data. The idea is you are sharing things with people. If you want to keep things private ... Facebook is not the place to do it.
Duh! But I did enjoy watching the metal boomerang slice your hand off. I'm sure you won't mind if I share (having assumed your Facebook identity on the sly) that you're dumping your main squeeze because she slept with your boss, but you don't care because you're out now.
It's unfortunate that authentication and privacy get so badly conflated. The need for SSL certificates derives from the authentication function, but you can't establish a private connection without one, for no technical reason at all, but
Promiscuous mode on any adapter? (Score:5, Interesting)
I used to do sniffing and stuff like this a couple years ago and the biggest hurdle was finding a wireless adapter which would allow promiscuous mode. aircrack sells one that comes with 1st party drivers to allow sniffing. I used a linksys usb adapter since there were 3rd party drivers that allowed it.
unless something has changed I thought most wireless driver didn't support promiscuous mode for sniffing.
Re: (Score:2)
yeah it was easier for linux but the plugin doesn't even have linux support yet that's why i'm wondering how it works. even more curious that a browser plugin has that level of access to the system.
How does it work? (Score:3, Interesting)
Re:How does it work? (Score:4, Informative)
It can capture the wifi since anyone can capture them if you are within range of the transmissions. You if you are not monitoring when the signals go out you cannot capture them.
Re: (Score:3, Interesting)
Am I the only one who finds it amusing... (Score:3, Interesting)
... that the bleating masses who so readily rushed to put their entire lives and details on social networking sites despite all the warnings are now running around shouting at all the chickens that are coming home to roost?
For the rest of us with some common sense this is just hilarious.
Re:Am I the only one who finds it amusing... (Score:4, Informative)
Re: (Score:2)
For the rest of us with some common sense this is just hilarious.
You're making a bad judgment here - there is a lack of common sense in both IT geeks like 'us' und normal users (anyone outside IT).
The issue with facebook and security has nothing to do with common sense per se, but with IT training. You and I may know a few things about security, which may lead us to accept some things, but reject others.
People outside IT do not have this type of training, nor would it be easy to bestow it on them. It IS the kind of people (the 90+% of the planet) which can not easily fo
Re: (Score:2)
I hate to break it to you but the intersection of the set of people whom you consider to be the "bleating masses who so readily rushed to put their entire lives and details on social networking sites" and the set of people who read about the opensource project known as firesheep AND are really concerned about someone packet sniffing on their own network and then doing something malicious with it (just logging in is likely completely illegal) is probably incredibly small so no one is running around shouting
Re: (Score:2)
Well for a start mixing metaphors doesn't mean just using 2 in the same sentence and secondly if you think living your life on a social networking site is "frollicking in the sun" then I'd suggest you get out more my friend.
Re: (Score:2)
those dang sheep finally got their comeuppance for frolicking in the sun instead of hunkering down underground and now are all whaling
Whaling is against international treaty these days, haven't you heard? And what does hunting whales have to do with facebook, anyway?
Re: (Score:2)
The Council of Wool, being the governing body of Sheep, never signed onto that treaty due to the long history of conflict in sheep-whale relations.
God catch ;)
Re: (Score:2)
Look, I know plenty of people who use Facebook and the like basically as a means to post blogs (or, as "twitter with 420 character posts"). They don't put up anything personally sensitive, but they would still be pissed off if someone stole their info and started putting up posts in support of neo-Nazi child pornography or whatever.
Re: (Score:2)
This is session cookie hijacking, it could be used to spoof your Slashdot credentials just as much as someone's Facebook account. Someone just put "Social Network" in the headline to make it seem more hip. Cookie spoofing has been known since the invention of Cookies.
Cookie theft (Score:5, Insightful)
Er, It's the lack of SSL (Score:2)
It is the lack of SSL that is the problem here, and it is the non-use of SSL that 'is the elephant in the room,'
This has been going on for a long time now - attend a NANOG meeting and use unencrypted logins, and you may well see your password on the screen by the end of the meeting - the white hat guys routinely sniff the wireless for passwords.
But will it... (Score:2, Interesting)
Mobile Apps (Score:2)
So this leads me to ask if I am safer when using the Facebook/Amazon/eBay app rather than the mobile browser. Is the security of the iPhone or android apps better than the web security for Facebook?
Or can I make my access of these sites more secure myself somehow?
Re: (Score:2)
One way to find out is to do a promiscuous tcpdump of your local network traffic while using that app - if you can read personally identifiable items in plain text, you are simply not safe.
I must be really really old... (Score:2)
I really miss the old good days, where talks on security conferences would blow you away, and where people would actually talk about new security related things, rather than showing 76th way of automating a process/procedure that has been known for 10 years (always involving grabbing [flavor of the month service]'s password).
Oh well, guess people were in security world for different reasons 10 years ago...
Re: (Score:2)
I must be really really old...
Yeah, you are. And me too. I bet a lot of the young'uns here have never heard of the protocol in your username.
Spread this (Score:2)
This needs to be heard by everyone. NOW. Sure, your New York Times access is largely trivial, but Facebook and gmail access? That's someone's life. Amazon, and soon Netflix, PayPal, and eBay? That's someone's money. Maybe once people start losing money and their jobs websites will realize the severity of security, as that's usually when it hits home. But until then, very neat.
Protect yourself: https://addons.mozilla.org/en-US/firefox/addon/12714/ [mozilla.org]
KB SSL Enforcer (Score:3, Interesting)
This is why I use this Chrome extension - https://chrome.google.com/extensions/detail/flcpelgcagfhfoegekianiofphddckof [google.com]
Basically for any site you go to it AUTOMATICALLY redirects you to the SSL version of that site if it exists. Including ssl.facebook.com.
Yes ssl.facebook.com should be the default, as should most sites, but until they are this extension is invaluable IMO.
I don't like sending data over an open channel... (Score:2)
When I am using public WiFi, I tend to SSH-tunnel to my proxy at home for web browsing,
It usually makes for a better browsing experience too because DNS on public WiFi usually sucks and the compression over SSH means that most web pages loads quicker.
ALL network communication should be encrypted (Score:2)
Although I'm not holding my breath for IPv6 to be widely adopted any time soon....the fact that encryption is mandated in the protocol as an option is something that is long overdue. Clear text non-encrypted network traffic is something everybody should avoid if possible. (which is REALLY hard without a lot of work).
Maybe if encryption was mandated in packets sniffing this sort of stuff would not be a issue? (yes)
Speaking for myself (who I am)... (Score:2)
Speaking as seebs, who I actually am, I think this addon is a brilliant example of the importance of making a threat concrete and specific in order for people to understand it. I, for one, welcome our new us overlords.
Consider:
http://www.csd.uwo.ca/staff/magi/personal/humour/Computer_Folklore/Robin%20Hood%20And%20Friar%20Tuck.html [csd.uwo.ca]
This is not a new technique. This is not a bad thing, particularly. And compared to the severity of the problem, I think it's pretty tastefully understated.
And again, this is ac
Re: (Score:2, Interesting)
Re: (Score:2)
Re: (Score:2)
Your scenario would require more than just plugging into a network, it would require a switch in promiscuous mode or a hub. A normal switch the traffic is not sent to all ports on the network; only broadcast traffic goes to all ports.
And if you're running switches or a hacker has access enough to your switches to turn on Promiscuous mode, you have other problems, and securing web traffic is not one of the big ones.
The fact that you got modded "Interesting" on /. makes me sad.
Re: (Score:2)