Firefox Extension Makes Social-Network ID Spoofing Trivial 185
Orome1 writes "A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point. 'When it comes to user privacy, SSL is the elephant in the room,' said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can 'sniff out' the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user."
First haxx! (Score:4, Funny)
Ha ha, anon is pwned :D
Re:First haxx! (Score:5, Funny)
WTF !, this guy is logged in as me !
Re:First haxx! (Score:1, Funny)
Dude, seriously, he probably isn't even using the plugin... Your password is one of the worst I've seen. Heck, even I cracked it (as you can see from this post)
Re:Why no encryption? (Score:5, Funny)
Re:First haxx! (Score:2, Funny)
Remind me to change the combination to my luggage.
My comments (Score:3, Funny)
Someone, who obviously must have sniffed out my wireless cookies. -Shame on them.
Re:Use md5 (or something) over the wire (Score:5, Funny)
md5 is a hash algorithm. How would that help? If someone can snoop your md5 hash they can replay it to gain access to the server, and then change your password (provided the server doesn't provide a challenge to perform this action). All md5 does is protect your actual password, which is small protection if your account can be illicitly accessed anyway. None of these services send a password in plaintext (hopefully). That isn't the issue. The issue is that they use replayable tokens and don't use encryption to send them on the wire.
Well, then md5 the hash. It's just like using triple-DES or double rot-13 (one of the two, or maybe a happy middle-ground). ;)
Re:Why no encryption? (Score:5, Funny)
Facebook's servers are too busy violating your privacy to handle the extra load of encryption ;)
Facebooks servers were hanging around in a dark alley one faithful night. My privacy just happened to think that particular night, let's take the shorter route home. It's as if Facebooks servers sniffed she was coming, despite her high privacy settings. They libpcaptured her, then stripped all of her headers and checksums, right to her to the bare profile while taunting her loudly. Some traffic just passed by without doing anything. My privacy was violated again, and again and Facebooks servers just kept going and going. Then they left my privacy "face"-down in a shallow ditch, some shreds of unique ROWIDs covering her bloodsoaked profile.
Re:Use md5 (or something) over the wire (Score:3, Funny)
md5 the password with Javascript on the client end before sending it. Then un-md5 it with PHP on the server.
Or use quad-ROT13 instead.
Re:Illegal? (Score:3, Funny)
Re:Use md5 (or something) over the wire (Score:3, Funny)