Firefox Extension Makes Social-Network ID Spoofing Trivial

Orome1 writes "A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point. 'When it comes to user privacy, SSL is the elephant in the room,' said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can 'sniff out' the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user."

Why no encryption?

[AHuxley]

What is the cpu use and heat of the user base requesting and using ssl vs this bad news?
"Double-click on someone, and you're instantly logged in as them."
Whats the the extra use 15-20%? vs unencrypted HTTP.
Would ssl been left off allow creative law enforcement uses?

Promiscuous mode on any adapter?

[SpinningCone]

I used to do sniffing and stuff like this a couple years ago and the biggest hurdle was finding a wireless adapter which would allow promiscuous mode. aircrack sells one that comes with 1st party drivers to allow sniffing. I used a linksys usb adapter since there were 3rd party drivers that allowed it.

unless something has changed I thought most wireless driver didn't support promiscuous mode for sniffing.

How does it work?

[pinkeen]

The article is extremely light on details. The plugin's page [codebutler.com] doesn't tell much either. I'm curious how does it capture the WIFI packets. Is it possible to capture them when not in monitor mode?

Am I the only one who finds it amusing...

[Viol8]

... that the bleating masses who so readily rushed to put their entire lives and details on social networking sites despite all the warnings are now running around shouting at all the chickens that are coming home to roost?

For the rest of us with some common sense this is just hilarious.

Re:and this is news ?

[Anonymous Coward]

Post your user/pass if it doesn't matter. Put your action where your mouth/fingers is/are.

But will it...

[koterica]

run (on) linux? Apparently not. I guess I wont be using it.

Re:No HTTPS encryption

[FrostDust]

Do they have any guarantee that all of their users have a browser that supports HTTPS?

To Facebook, it's better to allow access to as many users as possible, than lock some out in the name of security.

Re:WPA2 will work better against this hack

[Instant_Karmma]

This works on any network segment, including wired. How many people do you know that use Facebook, Amazon, etc. from their desks? Sure, your traffic could always be monitored by the PFY's in the data center, but now your pointy-haired boss has a tool that allows him to see what you've been buying. No thanks.

Re:https everywhere

[anti-pop-frustration]

https everywhere [eff.org] is indeed a great extension, and everybody should be using it.

But some of the services that Firesheep target don't offer an https option *at all*. This is no rebuttal, it only proves Firesheep developer's point : these services have an unappropriate level of security.

The worst offender is probably Yahoo! Mail. They don't even offer https to their paying customers! For one of the leading webmail service this is utterly unacceptable. https for login is a fig leaf, the only thing this does is give users a false sense of security.

KB SSL Enforcer

[brunes69]

This is why I use this Chrome extension - https://chrome.google.com/extensions/detail/flcpelgcagfhfoegekianiofphddckof [google.com]

Basically for any site you go to it AUTOMATICALLY redirects you to the SSL version of that site if it exists. Including ssl.facebook.com.

Yes ssl.facebook.com should be the default, as should most sites, but until they are this extension is invaluable IMO.

eBay Gaming

[Anonymous Coward]

I get so irritated with the gaming of eBay's system. It wasn't until I put up a nice guitar that I learned if you want to get a good deal on something, bid as a brand-new user. What was happening was some brand-new user was bidding on my auction in the smallest increments allowed. This made it look like the auction was being bid up by me, so probably a lot of eBay regulars didn't want to bid because of this douche. I didn't really notice or understand what was happening until the douche won the auction at a price that was hundreds below where the guitar should have sold. And I'm too effing moral to do the other eBay game I hate which is when a seller cancels an auction simply because the price is too low. I've had that happen on a number of occasions where it was very clear I was going to get a sweet deal on an auction and seller suddenly cancels. Of course, you place a bid and there's no fucking way to get out of it without getting permission from the seller, but if you're a seller you can get out of the auction any damn time you please.

Re:How does it work?

[pinkeen]

That wasn't my question. When in monitor (promiscous) mode, adapter can capture but cannot associate and give you internet connection. So, when you capture packets you need another wlan adapter or ethernet nic for your internet conncetion to actually use this stolen cookies. There's no mention of it on the site. So I wondered that maybe the plugin does some magic and captures packets while the same adapter is associated with an ap.