Firefox Extension Makes Social-Network ID Spoofing Trivial

Orome1 writes "A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point. 'When it comes to user privacy, SSL is the elephant in the room,' said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can 'sniff out' the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user."

and this is news ?

[Torvac]

someone in the same network sniffing your unencrypted traffic is facebooks fault ? or the fact that someone made a UI to do it for dummies ?

Re:and this is news ?

[Anonymous Coward]

the fact that it's unencrypted is facebooks fault, it's not hard to push everything through HTTPS, there's no excuse these days

Re:and this is news ?

[Ephemeriis]

someone in the same network sniffing your unencrypted traffic is facebooks fault ?
or the fact that someone made a UI to do it for dummies ?

The fact that it is unencrypted is, yes.

Another point is not "missing the point"

[Chriscypher]

squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point.

Another point does not "miss the point".

Transport security != corporate marketing of private data

Other People in the Room

[SudoGhost]

the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point.

I'm much more concerned about that then someone on my network stealing my password. If they're on my network, they could steal my password? This is not new, nor is it news. The number of people on the internet out to get your personal information is much, much higher than the number of people on your network out to do the same.

This is just a high-tech version of this:

'When it comes to user privacy, other people are the elephant in the room,' said SudoGhost, random douchebag author of the post in question, dubbed 'Other People in the Room'. By being in the room and watching the screen/keyboard, anyone can 'sniff out' not only the unencrypted HTTP sessions, but virtually any keystroke, allowing your mom to access social networks, online services and other website requiring a login, and simply hijack them and find out where you really were Saturday night."

No HTTPS encryption

[DrYak]

Kudos to FaceBook and most other networks for NOT using encryption for anything but the log in, making such hacks possible !
I know that HTTPS would put some stress on the servers, specially with something as big as Facebook.
But, come-on. Social networks have become so important for some people, that the risks of vandalism/identiy spoof/deffamation, etc. are significant and would benefit from some more protection.

Cookie theft

[Securityemo]

It's "just" WiFi cookie theft. You can do that easily with wireshark and copy/paste, this just makes it a bit faster. The problem lies in session cookies, and this is a problem known for what, almost a decade now?

Re:Other People in the Room

[statusbar]

How many people use wireless at a conference, or a coffee shop, or a hotel?

Re:and this is news ?

[Anrego]

users will begin a mass exodus once more and more articles about the dangers of Facebook are written and IT Professionals and techies begin informing everyone that using Facebook is dangerous especially on a Winblows PC.

Oh you can't seriously believe that!

People have been screaming at the top of their lungs about how insecure facebook is and what they do with your information for years. Your average user just doesn't care as long as they can keep playing farmville!

Re:and this is news ?

[PopeRatzo]

Their only income stream is selling private information.

Good point.

I'm surprised so many people are upset about people stealing their private information, but have no problem with someone buying and selling their private information.

Re:Use md5 (or something) over the wire

[gmurray]

md5 is a hash algorithm. How would that help? If someone can snoop your md5 hash they can replay it to gain access to the server, and then change your password (provided the server doesn't provide a challenge to perform this action). All md5 does is protect your actual password, which is small protection if your account can be illicitly accessed anyway. None of these services send a password in plaintext (hopefully). That isn't the issue. The issue is that they use replayable tokens and don't use encryption to send them on the wire.

Re:Use md5 (or something) over the wire

[gmurray]

furthermore the entire usefulness of md5 is that you can't un-md5 it ;-)

Re:Use md5 (or something) over the wire

[Anonymous Coward]

This won't work as the extension sniffs out cookies, not passwords.

Even then, this won't help as the extension could be changed to sniff the hashed password (it's just send as plain text over HTTP), and send that hash itself.

Re:No HTTPS encryption

[Confusador]

There's a world of difference between having a fallback for those who can't use the secure site (with a warning that it is not secure, even) and not having an option for those who can.