×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Firefox Extension Makes Social-Network ID Spoofing Trivial

timothy posted more than 2 years ago | from the plausible-deniability-for-farmville dept.

Security 185

Orome1 writes "A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point. 'When it comes to user privacy, SSL is the elephant in the room,' said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can 'sniff out' the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

185 comments

Illegal? (5, Informative)

Anonymous Coward | more than 2 years ago | (#34010574)

I don't dispute author's work or goals (I've been using SSH tunneling on public WiFi for years to prevent just this) but he should have mentioned that clicking on information you gathered (and logging in as another user without their concent) is very likely against federal laws in US (and likely most other locations). Just gathering this information can likely be argued to be illegal as well (wiretapping?)

So be careful where you click..

Use md5 (or something) over the wire (3, Informative)

Compaqt (1758360) | more than 2 years ago | (#34011506)

Leaving aside md5 cracks (use another algo if you want):

md5 the password with Javascript on the client end before sending it. Then un-md5 it with PHP on the server.

Plenty of security-conscious CMS's have been doing this before Mark Z even thought of an electronic facebook.

Re:Use md5 (or something) over the wire (2, Insightful)

gmurray (927668) | more than 2 years ago | (#34011572)

md5 is a hash algorithm. How would that help? If someone can snoop your md5 hash they can replay it to gain access to the server, and then change your password (provided the server doesn't provide a challenge to perform this action). All md5 does is protect your actual password, which is small protection if your account can be illicitly accessed anyway. None of these services send a password in plaintext (hopefully). That isn't the issue. The issue is that they use replayable tokens and don't use encryption to send them on the wire.

Re:Use md5 (or something) over the wire (5, Insightful)

gmurray (927668) | more than 2 years ago | (#34011588)

furthermore the entire usefulness of md5 is that you can't un-md5 it ;-)

Re:Use md5 (or something) over the wire (4, Funny)

Culture20 (968837) | more than 2 years ago | (#34011912)

md5 is a hash algorithm. How would that help? If someone can snoop your md5 hash they can replay it to gain access to the server, and then change your password (provided the server doesn't provide a challenge to perform this action). All md5 does is protect your actual password, which is small protection if your account can be illicitly accessed anyway. None of these services send a password in plaintext (hopefully). That isn't the issue. The issue is that they use replayable tokens and don't use encryption to send them on the wire.

Well, then md5 the hash. It's just like using triple-DES or double rot-13 (one of the two, or maybe a happy middle-ground). ;)

Re:Use md5 (or something) over the wire (1)

gmurray (927668) | more than 2 years ago | (#34012268)

How exactly would that help? You could md5 hash a password and a timestamp, and this would at least limit the amount of time that a hashed password could be replayed, but it would not prevent the replay of the password. The nature of a hash is that it isn't something that you decode. It obscures something from view, so that a party on the other end, if it knows the same secret, can verify that you know the secret, without divulging the secret publicly.

But if someone can snoop your hash, they can replay it and pretend they know the secret, without actually knowing it.

This is why a hash protects the secret, but doesn't protect the service from replay attacks, you need encryption also.

A hash is a good idea to be used in concert with encryption because then, even if the encryption is broken, the secret is not exposed. But a hash in itself is not a secure way to assert identity.

Re:Use md5 (or something) over the wire (2, Informative)

ogapo (1420605) | more than 2 years ago | (#34011648)

I think you may not understand how a cryptographic hash works. In the scheme you are describing, the password is typically hashed on the client side (along with some value specified by the server which changes every time). When the server gets the hash, it hashes the password (as stored in the DB and possibly also hashed) along with the same value and compares the result. Regardless, what this plugin does is not steal passwords, but simply looks for authenticated credentials (usually cookies). See, once you authenticate, the server gives you a cookie (your session identifier) that you pass back with every request to prove you are who you say you are. Since the traffic is not encrypted, this can be intercepted by anyone on a network between you and the facebook servers. If you live on a college campus or work for an ISP, this could very well be many people. Even if Facebook is smart enough to tie this session to your IP, it's likely that someone in a correct network position to sniff your packets can also viably spoof your IP (both sending and receiving). This is effectively the same as them hijacking your account except the ability goes away when your session expires.

Re:Use md5 (or something) over the wire (2, Insightful)

Anonymous Coward | more than 2 years ago | (#34011670)

This won't work as the extension sniffs out cookies, not passwords.

Even then, this won't help as the extension could be changed to sniff the hashed password (it's just send as plain text over HTTP), and send that hash itself.

Re:Use md5 (or something) over the wire (4, Informative)

jwietelmann (1220240) | more than 2 years ago | (#34011920)

Hash = 1-way crypto

The only way to "un-md5" anything is to crack it. Also, I'm not sure you actually put any real thought into this.

Since it's best practice to store only password hashes (and not the passwords themselves) in your database (or whatever), your process is apparently:

  1. Client md5's the password, sends it to server
  2. Server "un-md5"s the password (let's say for argument's sake that this makes perfect sense)
  3. Server md5's the un-md5'd password
  4. Server checks hash against user's hash in the database

Re:Use md5 (or something) over the wire (2, Informative)

Mashiara (5631) | more than 2 years ago | (#34012106)

You are missing the point.

The problem is not reading the password as plaintext from the cookie (now that would be monumentally stupid design) but that since the cookie equals valid session authentication copying the cookie equals session hijacking (or sidejacking since the original cookie is still there on the original users machine).

Re:Use md5 (or something) over the wire (1)

Mashiara (5631) | more than 2 years ago | (#34012168)

The login forms/submissions AFAIUnderstand do go over SSL so doing encrypting the password is kinda pointless there.

Also there is no such thing as "un-md5", now the password might be encrypted (des/aes/whatever) but hashes are by definition one-way.

Re:Use md5 (or something) over the wire (0)

Anonymous Coward | more than 2 years ago | (#34012322)

1) This about cookies, not passwords
2) Your idea fails to protect passwords, sure the hacker won't know the actual password but he can just send the md5 like the javascript would.

First haxx! (4, Funny)

Anonymous Coward | more than 2 years ago | (#34010576)

Ha ha, anon is pwned :D

Re:First haxx! (5, Funny)

Anonymous Coward | more than 2 years ago | (#34010590)

WTF !, this guy is logged in as me !

Re:First haxx! (1, Funny)

Anonymous Coward | more than 2 years ago | (#34010622)

Dude, seriously, he probably isn't even using the plugin... Your password is one of the worst I've seen. Heck, even I cracked it (as you can see from this post)

Re:First haxx! (2, Funny)

Anonymous Coward | more than 2 years ago | (#34010754)

Remind me to change the combination to my luggage.

Re:First haxx! (0)

Anonymous Coward | more than 2 years ago | (#34011596)

Too late, already stole it! If you want your luggage back, post here.

My comments (2, Funny)

formfeed (703859) | more than 2 years ago | (#34011510)

I'd like to declare that all comments under my user name that are controversial or could get me in trouble were made by someone else.

Someone, who obviously must have sniffed out my wireless cookies. -Shame on them.

A better explaination (5, Informative)

buchner.johannes (1139593) | more than 2 years ago | (#34010578)

here: http://codebutler.com/firesheep [codebutler.com]

They apparently call it "sidejacking", i.e. sniffing other users cookies from a wifi, and using it. Not new, but made userfriendly.

Other People in the Room (2, Insightful)

SudoGhost (1779150) | more than 2 years ago | (#34010752)

the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point.

I'm much more concerned about that then someone on my network stealing my password. If they're on my network, they could steal my password? This is not new, nor is it news. The number of people on the internet out to get your personal information is much, much higher than the number of people on your network out to do the same.

This is just a high-tech version of this:

'When it comes to user privacy, other people are the elephant in the room,' said SudoGhost, random douchebag author of the post in question, dubbed 'Other People in the Room'. By being in the room and watching the screen/keyboard, anyone can 'sniff out' not only the unencrypted HTTP sessions, but virtually any keystroke, allowing your mom to access social networks, online services and other website requiring a login, and simply hijack them and find out where you really were Saturday night."

Re:Other People in the Room (3, Insightful)

statusbar (314703) | more than 2 years ago | (#34011080)

How many people use wireless at a conference, or a coffee shop, or a hotel?

Re:Other People in the Room (0)

Anonymous Coward | more than 2 years ago | (#34011204)

I certainly use WiFi in all of those places. The step after making the connection to the WiFi access point is to make a VPN connection to work. After that, my traffic is tunneled securely (at least securely from the point of view of someone on that WiFi connection trying to snoop out unencrypted packets). I wouldn't want to use one of these access points without VPN for anything but checking the weather or something - nothing that requires login or private information that's for sure.

However, the obvious problem is the "average user" who either doesn't have a clue about security or who doesn't have a VPN connection they can make to up the bar in trying to hack them.

Re:Other People in the Room (1)

gmurray (927668) | more than 2 years ago | (#34011608)

I don't use other people's wifi for the same reason I wouldn't share a junkie's needle.

Re:Other People in the Room (1)

statusbar (314703) | more than 2 years ago | (#34011698)

Of course not, unless you are accessing the net via VPN, or SSH tunnel to a proxy, or of course when you are running firesheep...

No HTTPS encryption (4, Insightful)

DrYak (748999) | more than 2 years ago | (#34010814)

Kudos to FaceBook and most other networks for NOT using encryption for anything but the log in, making such hacks possible !
I know that HTTPS would put some stress on the servers, specially with something as big as Facebook.
But, come-on. Social networks have become so important for some people, that the risks of vandalism/identiy spoof/deffamation, etc. are significant and would benefit from some more protection.

Re:No HTTPS encryption (1)

cindyann (1916572) | more than 2 years ago | (#34011122)

Since when have they used SSL/HTTPS as the default for anything, let along signing on?

I still have to manually change http to https in the URL every time they decide to sign me off.

Re:No HTTPS encryption (4, Informative)

muckracer (1204794) | more than 2 years ago | (#34011240)

> Kudos to FaceBook and most other networks for NOT using encryption for anything but the log in [--DrYak]

> I still have to manually change http to https in the URL every time they decide to sign me off. [--cindyann]

Install the HTTPS-Everywhere FF Plugin. It will SSL-encrypt Facebook and a host of other domains. Only draw-back: Chat doesn't work via SSL atm.

https://www.eff.org/https-everywhere [eff.org]

And while you're at it, also install the BetterPrivacy Add-on:

https://addons.mozilla.org/en-US/firefox/addon/6623/ [mozilla.org]

which will get rid of the LSO cookie Facebook sets each time you use it. Best used in conjunction with AskforSanitize.

Re:No HTTPS encryption (4, Informative)

lavagolemking (1352431) | more than 2 years ago | (#34011304)

Facebook does submit your information over HTTPS; they just load the page over HTTP by default. Passive sniffing won't work on it. Here, take a look at the following code from http://www.facebook.com/ [facebook.com] :

<form method="POST" action="https://login.facebook.com/login.php?login_attempt=1" id="login_form">

The problem with this approach is, while it saves server resources, an attacker could trivially perform a man-in-the-middle attack on an average person connecting to http://www.facebook.com/ [facebook.com] rewriting the above code to HTTP or running a squid proxy or something, and they would never notice because their browser says "http" like always.

That said, if you're worried about it you could always install HTTPS Everywhere [eff.org] and it will make Facebook always load using SSL.

Re:No HTTPS encryption (1)

IAmGarethAdams (990037) | more than 2 years ago | (#34011808)

Well, the problem being exposed isn't related to the login form and password sniffing, but merely that after login a stolen session cookie gives you full access to someone's logged-in session (as it is in fact designed to) The problem is potentially less of an issue than having the password submission over HTTP - once you have a user's Facebook password, chances are you have the password to some of their other online accounts, whereas this attack only gives you access to the current logged in session - but it's definitely an issue that users needs to be aware of

Re:No HTTPS encryption (2, Interesting)

FrostDust (1009075) | more than 2 years ago | (#34011280)

Do they have any guarantee that all of their users have a browser that supports HTTPS?

To Facebook, it's better to allow access to as many users as possible, than lock some out in the name of security.

Re:No HTTPS encryption (3, Insightful)

Confusador (1783468) | more than 2 years ago | (#34011734)

There's a world of difference between having a fallback for those who can't use the secure site (with a warning that it is not secure, even) and not having an option for those who can.

Re:No HTTPS encryption (1)

kriebz (258828) | more than 2 years ago | (#34011964)

Are there such things? I mean, really... find me a browser that has enough Javascript support to have any hope of rendering Facebook, that doesn't at least support 128-bit RSA SSL. It's not 1998.

Re:A better explaination (3, Informative)

thomst (1640045) | more than 2 years ago | (#34011002)

here: http://codebutler.com/firesheep [codebutler.com] .

Steve Manuel of TechCrunch claims that the Force-TLS 2.0 [mozilla.org] Firefox extension can defeat Firesheep. (You have to configure it manually for each site you want to protect, though, so it's somewhat of a PITA.)

Another option is the HTTPS Everywhere [eff.org] Firefox extension from EFF and the Tor Project. Although HTTPS Everywhere has a predefined ruleset that includes some of the most popular Web sites, you'll still have to write your own ruleset [eff.org] for any site not on their default list.

Re:A better explaination (0)

Anonymous Coward | more than 2 years ago | (#34011900)

What keeps this from being deployed beyond social networking sites? Say, using someone ebay's account they haven't logged out of (not that logging out half the time actually deletes the cookie), and jacking in a bunch of bids on stupid or embarrassing items or just to financially mess or up screw with the feedback rating of a user?

I've always wondered this. Apparently, others have too, because it looks like a lot of stuff aside from social networking isn't encrypted that relies on cookies for the more sensitive or monetary stuff.

This is why I've always been suspicious of ebay. That, and one time I put in a high bid early on instead of sniping (I sniped because I could never figure out if this couldn't be done, then it appears to have been done) because I had an appointment, and there was 1 bid, $.41 under mine, that didn't get rebid (at that point, they could see my bid amount fully, and $1 more could have had the item). Then I read a couple years later on /. how ebay never protected people from server side includes, and sellers were embedding code in their auction descriptions to report back bid amounts, and ebay allegedly KNEW about the practice and didn't care (higher bids, after all, means higher profit, so no reason for them to protect the buyer if this wasn't a regular practice). Sellers would simply use another account, place a bid just under, and profit big time. (And no, I'm not pissed at the price I paid so much as I'm pissed at the supposed described and fair system being gamed.)

and this is news ? (3, Insightful)

Torvac (691504) | more than 2 years ago | (#34010586)

someone in the same network sniffing your unencrypted traffic is facebooks fault ? or the fact that someone made a UI to do it for dummies ?

Re:and this is news ? (5, Insightful)

Anonymous Coward | more than 2 years ago | (#34010604)

the fact that it's unencrypted is facebooks fault, it's not hard to push everything through HTTPS, there's no excuse these days

Re:and this is news ? (1)

arndawg (1468629) | more than 2 years ago | (#34010628)

"not hard". Well maybe not for your blog with 2 users per week. But for facebooks loadsize it's not a matter of signing up with digicert and enabling SSL. But yeah. They probably should prioritize that instead of some fancy new web 2.0 feature.

Re:and this is news ? (1)

vlm (69642) | more than 2 years ago | (#34010668)

But for facebooks loadsize it's not a matter of signing up with digicert and enabling SSL.

Problems can be solved with money. Their only income stream is selling private information. Therefore:

Scenario one, your privacy is lost because they sell it to someone with money to pay for the dedicated SSL hardware cluster.

Scenario two, your privacy is lost because semi-smart people skimmed it away.

Since the end result is about the same, I'd rather reward the smart people than the greedy/rich people.

Re:and this is news ? (1)

savvysteve (1915898) | more than 2 years ago | (#34010874)

The fact that Facebook is getting all of this negative press is not surprising. It has been known for a long time that Facebook is the root of a lot of problems relating to fake antiviruses and spyware etc... If Facebook is pulling down billions a year then investing in a couple of million dollars in equipment or infrastructure to handle the load is minimal. At some point it will simply self destruct and users will begin a mass exodus once more and more articles about the dangers of Facebook are written and IT Professionals and techies begin informing everyone that using Facebook is dangerous especially on a Winblows PC.

Re:and this is news ? (3, Insightful)

Anrego (830717) | more than 2 years ago | (#34011262)

users will begin a mass exodus once more and more articles about the dangers of Facebook are written and IT Professionals and techies begin informing everyone that using Facebook is dangerous especially on a Winblows PC.

Oh you can't seriously believe that!

People have been screaming at the top of their lungs about how insecure facebook is and what they do with your information for years. Your average user just doesn't care as long as they can keep playing farmville!

Re:and this is news ? (4, Insightful)

PopeRatzo (965947) | more than 2 years ago | (#34011430)

Their only income stream is selling private information.

Good point.

I'm surprised so many people are upset about people stealing their private information, but have no problem with someone buying and selling their private information.

Re:and this is news ? (1, Informative)

Anonymous Coward | more than 2 years ago | (#34010930)

"not hard". Well maybe not for your blog with 2 users per week. But for facebooks loadsize it's not a matter of signing up with digicert and enabling SSL.

Facebook's issue isn't buying & installing a certificate, it's that they have so much web traffic that the CPU load of encrypting all that traffic (or buying dedicated encryption acceleration hardware) is significant.

Re:and this is news ? (2, Informative)

The Mighty Buzzard (878441) | more than 2 years ago | (#34010998)

While I'm inclined to agree that any remotely commercial website should offer and default to encrypted transfers, it also serves you right if you use a service that doesn't encrypt everything. Using a service that doesn't at least offer you the option of encryption is akin to driving a car that you know has defective brakes (ha, car analogy!). If shit goes badly and you knew better, you've no one to blame but yourself. If you didn't know better, it's your own fault for not educating yourself about such basic things and I shall mock you.

Unless you're a cookie baking grandmother willing to bribe me with baked goods. Principles be damned when there are fresh, warm cookies involved.

Re:and this is news ? (0)

Anonymous Coward | more than 2 years ago | (#34011738)

What I don't understand is why people are talking like Facebook isn't offered over HTTPS. There's no excuse not to be using https-everywhere. If you are using that plug-in, you're automatically using HTTPS on Facebook [facebook.com] by default. I guess you could argue it's Facebook's fault for not forcing its users to use HTTPS, but anyone with a hint of a clue is already using it anyway.

Re:and this is news ? (0)

Anonymous Coward | more than 2 years ago | (#34010608)

I couldn't get it to work, I suck at the internet :(

Re:and this is news ? (0)

Anonymous Coward | more than 2 years ago | (#34010646)

Why isn't face book requiring SSL? That's one of the thing that seems so simple to me. If there is a user authenticated session, require SSL. IF the session is just people putting items in a basket, then I can see not requiring it yet (at that point all you risk is exposing their shopping cart; possibly undesireable but possibly acceptable as people can look in my shopping basket IRL).

Re:and this is news ? (5, Insightful)

Ephemeriis (315124) | more than 2 years ago | (#34010652)

someone in the same network sniffing your unencrypted traffic is facebooks fault ?
or the fact that someone made a UI to do it for dummies ?

The fact that it is unencrypted is, yes.

Re:and this is news ? (1)

Afty0r (263037) | more than 2 years ago | (#34011760)

The fact that it is unencrypted is, yes.

Wait, it's Facebooks' fault that you chose to browse their site unencrypted?

You have the choice - if you visit https://facebook.com/ [facebook.com] it will let you run your entire session on the site in https. They obviously support SSL for those who want it... I fail to see how it's their fault?

Re:and this is news ? (4, Informative)

Aqualung812 (959532) | more than 2 years ago | (#34011828)

You have the choice - if you visit https://facebook.com/ [facebook.com] it will let you run your entire session on the site in https. They obviously support SSL for those who want it... I fail to see how it's their fault?

Follow the link you attached. Log into Facebook. Click the Facebook icon on that page to return to your home page, or click on a link to a fan page you have, or click on a link to a friend's page. You just went from SSL to HTTP. They make it hard to STAY on SSL, even if you go through the work of going there manually.

Re:and this is news ? (1)

biryokumaru (822262) | more than 2 years ago | (#34010824)

Why is it anyone's "fault?" Who cares? It's Facebook for science's sake! It's all just pictures of people's kids and crap, it doesn't matter at all if someone logs on as me and posts nonsense!

[/perspective]

Re:and this is news ? (1, Interesting)

Anonymous Coward | more than 2 years ago | (#34010974)

Post your user/pass if it doesn't matter. Put your action where your mouth/fingers is/are.

It's news in that people STILL don't get it (1)

Toe, The (545098) | more than 2 years ago | (#34010862)

The news is that still hardly anyone understands SSL or what it is for.

People like to see that little lock sign (or whatever obscure message their browser displays) when they log into their bank. But I sincerely doubt that the great majority of people have any idea that things like e-mail transactions can be routed over SSL or why that might be a good (i.e., critically important) idea.

Just scan your local neighborhood and look at (for an analogous example) how many people are still using WEP and thinking that somehow they are protecting themselves.

Re:It's news in that people STILL don't get it (1)

icebraining (1313345) | more than 2 years ago | (#34011600)

Email (IMAPS/SMTPS to your server) over SSL is nice but ultimately irrelevant, as you don't know if the rest of the path is encrypted. Only OpenPGP is safe.

WEP is similar; it's not a real protection, but stops the random kid trying to use your 'net to download stuff.

Why no encryption? (3, Interesting)

AHuxley (892839) | more than 2 years ago | (#34010626)

What is the cpu use and heat of the user base requesting and using ssl vs this bad news?
"Double-click on someone, and you're instantly logged in as them."
Whats the the extra use 15-20%? vs unencrypted HTTP.
Would ssl been left off allow creative law enforcement uses?

Re:Why no encryption? (4, Funny)

betterunixthanunix (980855) | more than 2 years ago | (#34010714)

Facebook's servers are too busy violating your privacy to handle the extra load of encryption ;)

Re:Why no encryption? (1)

sakdoctor (1087155) | more than 2 years ago | (#34010946)

SSL can be delegated to a PCI-e crypto accelerator board. [oracle.com]
Perhap the same would work for privacy violation?

Re:Why no encryption? (4, Funny)

cerberusss (660701) | more than 2 years ago | (#34012038)

Facebook's servers are too busy violating your privacy to handle the extra load of encryption ;)

Facebooks servers were hanging around in a dark alley one faithful night. My privacy just happened to think that particular night, let's take the shorter route home. It's as if Facebooks servers sniffed she was coming, despite her high privacy settings. They libpcaptured her, then stripped all of her headers and checksums, right to her to the bare profile while taunting her loudly. Some traffic just passed by without doing anything. My privacy was violated again, and again and Facebooks servers just kept going and going. Then they left my privacy "face"-down in a shallow ditch, some shreds of unique ROWIDs covering her bloodsoaked profile.

https everywhere (1)

NuShrike (561140) | more than 2 years ago | (#34010658)

Plugin-rebuttal.

Re:https everywhere (0)

Anonymous Coward | more than 2 years ago | (#34011178)

Re: Buttal plug in.

Re:https everywhere (4, Interesting)

anti-pop-frustration (814358) | more than 2 years ago | (#34011722)

https everywhere [eff.org] is indeed a great extension, and everybody should be using it.

But some of the services that Firesheep target don't offer an https option *at all*. This is no rebuttal, it only proves Firesheep developer's point : these services have an unappropriate level of security.

The worst offender is probably Yahoo! Mail. They don't even offer https to their paying customers! For one of the leading webmail service this is utterly unacceptable. https for login is a fig leaf, the only thing this does is give users a false sense of security.

What permissions do you need ? (1)

Haedrian (1676506) | more than 2 years ago | (#34010678)

What permissions do you need for this? Do you have to be the owner of the network in order to sniff things out in this manner? Or is it possible for me to steal accounts off a public network?

If its the former, then there's nothing too special - sniffers can do that already.

If its the latter, then its time to put on the tinfoil hats.

Re:What permissions do you need ? (2, Informative)

pinkeen (1804300) | more than 2 years ago | (#34010838)

It is wifi sniffing. The data is in the air. All you need is to be in the range of client's radio transmissions. If the network is encrypted then you need WEP/WPA(2) key.

Re:What permissions do you need ? (3, Informative)

mbone (558574) | more than 2 years ago | (#34010960)

What permissions do you need for this? Do you have to be the owner of the network in order to sniff things out in this manner? Or is it possible for me to steal accounts off a public network?

None, no, and most emphatically yes.

Re:What permissions do you need ? (3, Informative)

Stray7Xi (698337) | more than 2 years ago | (#34011846)

What permissions do you need for this? Do you have to be the owner of the network in order to sniff things out in this manner? Or is it possible for me to steal accounts off a public network?

You need to be administrator to place your network card into promiscious mode [wikipedia.org] or rfmon for wireless.

So in a public wifi network you're screwed. In a public ethernet network it depends if it's a switched or hubbed network. But even in a switched network you could be vulnerable to this via ARP poisoning.

The takeaway is what we've known for decades, if you want private communications use encryption.

Another point is not "missing the point" (5, Insightful)

Chriscypher (409959) | more than 2 years ago | (#34010688)

squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point.

Another point does not "miss the point".

Transport security != corporate marketing of private data

Re:Another point is not "missing the point" (1, Informative)

Anonymous Coward | more than 2 years ago | (#34010854)

It also misses the point that Facebook is about *SHARING* data. The idea is you are sharing things with people. If you want to keep things private ... Facebook is not the place to do it.

If I do not want people to know something. It is simple I do not put it on the internet.

Facebook has created this idea of privacy itself that it will never match. They did it accidentally by putting a login on the front page in the first place. People have an expectation of privacy when you have to log in. Facebook was just using it so you can post as yourself. Not as a privacy feature.

Also people have a gut reaction of 'lets just ssl everything'. That is not practical. As ssl breaks caching of many things. By default ssl is not cached both on the browser and at many proxy servers (this is a good thing in many cases). But in this case that picture of you wolfing down hotdogs somewhere probably will never change. Yet it will not be cached if you pipe it over ssl. Not everyone has DSL or higher. There are people who are stuck on dialup and it will not get any better any time soon for them.

Re:Another point is not "missing the point" (1)

epine (68316) | more than 2 years ago | (#34012108)

It also misses the point that Facebook is about *SHARING* data. The idea is you are sharing things with people. If you want to keep things private ... Facebook is not the place to do it.

Duh! But I did enjoy watching the metal boomerang slice your hand off. I'm sure you won't mind if I share (having assumed your Facebook identity on the sly) that you're dumping your main squeeze because she slept with your boss, but you don't care because you're out now.

It's unfortunate that authentication and privacy get so badly conflated. The need for SSL certificates derives from the authentication function, but you can't establish a private connection without one, for no technical reason at all, but it's a nice racket. Sometimes I want privacy (e.g. plaintext passwords being exchanged) and sometimes I want authenticity (that only I post under my own identity).

Hopefully you fingers came off clean and can be surgically repaired. Next time, type smarter.

Concerning Facebook, it's a no-fly zone for me. I preferred sharing back in the day when sharing was only weakly transitive unless especially ghastly, malicious or inbred.

Promiscuous mode on any adapter? (5, Interesting)

SpinningCone (1278698) | more than 2 years ago | (#34010708)

I used to do sniffing and stuff like this a couple years ago and the biggest hurdle was finding a wireless adapter which would allow promiscuous mode. aircrack sells one that comes with 1st party drivers to allow sniffing. I used a linksys usb adapter since there were 3rd party drivers that allowed it.

unless something has changed I thought most wireless driver didn't support promiscuous mode for sniffing.

Re:Promiscuous mode on any adapter? (1)

maxume (22995) | more than 2 years ago | (#34011414)

On Windows, sure, on Linux, not so much:

http://backtrack.offensive-security.com/index.php/HCL:Wireless [offensive-security.com]

Re:Promiscuous mode on any adapter? (1)

SpinningCone (1278698) | more than 2 years ago | (#34012004)

yeah it was easier for linux but the plugin doesn't even have linux support yet that's why i'm wondering how it works. even more curious that a browser plugin has that level of access to the system.

How does it work? (3, Interesting)

pinkeen (1804300) | more than 2 years ago | (#34010712)

The article is extremely light on details. The plugin's page [codebutler.com] doesn't tell much either. I'm curious how does it capture the WIFI packets. Is it possible to capture them when not in monitor mode?

Re:How does it work? (3, Informative)

will_die (586523) | more than 2 years ago | (#34011008)

You first need to installWinPcap [winpcap.org] this is the program that does the actual work. You then log on to the wifi, using password if required, and the program starts looking for know cookies. If it finds them it captures the info and gives you a nice userfriendly way of using them.
It can capture the wifi since anyone can capture them if you are within range of the transmissions. You if you are not monitoring when the signals go out you cannot capture them.

Am I the only one who finds it amusing... (2, Interesting)

Viol8 (599362) | more than 2 years ago | (#34010766)

... that the bleating masses who so readily rushed to put their entire lives and details on social networking sites despite all the warnings are now running around shouting at all the chickens that are coming home to roost?

For the rest of us with some common sense this is just hilarious.

Re:Am I the only one who finds it amusing... (3, Informative)

betterunixthanunix (980855) | more than 2 years ago | (#34010846)

To be fair, most of those people do not actually care. There is a small minority of users who do care, but for some reason continue to use those websites; the rest just want to follow the crowd without stopping to question anything.

Re:Am I the only one who finds it amusing... (1)

beh (4759) | more than 2 years ago | (#34010896)

For the rest of us with some common sense this is just hilarious.

You're making a bad judgment here - there is a lack of common sense in both IT geeks like 'us' und normal users (anyone outside IT).

The issue with facebook and security has nothing to do with common sense per se, but with IT training. You and I may know a few things about security, which may lead us to accept some things, but reject others.
People outside IT do not have this type of training, nor would it be easy to bestow it on them. It IS the kind of people (the 90+% of the planet) which can not easily follow what's going on.

You can partially try and explain it to them, saying that Facebook's login is akin to a 'secret knock' at the kids secret hideout (you know - when we were kids and actually played outside, meeting each other). The password is like the secret knock letting you in. This secret knock has the problem that anyone within earshot will hear it and will likely be able to reproduce it. And - as you may have learnt as a kid, you don't knock on the secret club house door if you see anyone within earshot (who you know doesn't belong).

It's easy to explain, and a workable analogy. The problem for people now is, that their facebook cookie is a secret knock that needs to be transported halfway around the world in order to 'let you in'/'let you have the data you want'. And this is where the problem sets in - as a kid you may have learnt that anyone at a greater distance can't hear you knock.

On the Internet, potentially anyone along the way can - and from your home to facebooks servers can be quite a distance.

The most likely point where your data may be intercepted is still at your own home - and again, you may feel safe, as you don't see anyone you don't know sitting in your own living room with his laptop running (and potentially listening in). The fact that your neighbour can, is already difficult enough to grasp for most people outside IT...

Re:Am I the only one who finds it amusing... (1)

kevinNCSU (1531307) | more than 2 years ago | (#34010976)

I hate to break it to you but the intersection of the set of people whom you consider to be the "bleating masses who so readily rushed to put their entire lives and details on social networking sites" and the set of people who read about the opensource project known as firesheep AND are really concerned about someone packet sniffing on their own network and then doing something malicious with it (just logging in is likely completely illegal) is probably incredibly small so no one is running around shouting now that the chickens have come home to roost. This is just a self satisfying notion that people want to believe from their nerd cave, that those dang sheep finally got their comeuppance for frolicking in the sun instead of hunkering down underground and now are all whaling why or why didn't we listen to the nerds, but this simply isn't the case. Not yet anyways.

Lastly, if you're going to mix animal metaphors at least make them make sense. Sheep don't give a shit about chickens roosting. Now wolves in sheep's clothing on the other hand, that's got some promise in this situation.

Re:Am I the only one who finds it amusing... (1)

Viol8 (599362) | more than 2 years ago | (#34011564)

Well for a start mixing metaphors doesn't mean just using 2 in the same sentence and secondly if you think living your life on a social networking site is "frollicking in the sun" then I'd suggest you get out more my friend.

Re:Am I the only one who finds it amusing... (1)

mbone (558574) | more than 2 years ago | (#34011024)

Look, I know plenty of people who use Facebook and the like basically as a means to post blogs (or, as "twitter with 420 character posts"). They don't put up anything personally sensitive, but they would still be pissed off if someone stole their info and started putting up posts in support of neo-Nazi child pornography or whatever.

Re:Am I the only one who finds it amusing... (1)

Klinky (636952) | more than 2 years ago | (#34011162)

This is session cookie hijacking, it could be used to spoof your Slashdot credentials just as much as someone's Facebook account. Someone just put "Social Network" in the headline to make it seem more hip. Cookie spoofing has been known since the invention of Cookies.

Cookie theft (5, Insightful)

Securityemo (1407943) | more than 2 years ago | (#34010828)

It's "just" WiFi cookie theft. You can do that easily with wireshark and copy/paste, this just makes it a bit faster. The problem lies in session cookies, and this is a problem known for what, almost a decade now?

Er, It's the lack of SSL (1)

mbone (558574) | more than 2 years ago | (#34010888)

It is the lack of SSL that is the problem here, and it is the non-use of SSL that 'is the elephant in the room,'

This has been going on for a long time now - attend a NANOG meeting and use unencrypted logins, and you may well see your password on the screen by the end of the meeting - the white hat guys routinely sniff the wireless for passwords.

Re:Er, It's the lack of SSL -- not needed (0)

Anonymous Coward | more than 2 years ago | (#34011672)

I know you wouldn't be arrogant enough to try to invent your own encryption algorithm, so don't be dumb enough to try to invent your own authentication protocol.

Follow Microsoft and steal it from the best: http://web.mit.edu/Kerberos/#what_is [mit.edu]

Invented by the professors at MIT to secure their own logins from the students at MIT. A.k.a. "forged in the fires of Mount Doom" and so safe from most threats.

The next step (1)

Fusione (980444) | more than 2 years ago | (#34011020)

Public wifi isn't secure.. in other slashdot news, water is wet and fire burns. Really though, the next step in this equation is for someone to run this at a really busy hotspot in NYC, and then to anonymously publish the results online. Bang! media coverage. Bang! reputation loss and user defection for compromised services. Bang! solution for problem gains financial incentive, and gets fixed.

Re:The next step (0)

Anonymous Coward | more than 2 years ago | (#34011492)

Publish what? The session cookies?

WPA2 will work better against this hack (1)

whitesea (1811570) | more than 2 years ago | (#34011092)

What is the problem? Protect your WiFi connection with WPA2 and this hack does not work. All around me almost any network is protected and these are regular folks, not some security gurus. Yes, their information may be stolen further down the wire, but this is not new. While I am all for SSL protection, this particular hack can be fought off by individual users. Even more, while HTTPS has to protect each individual site you go to, WPA2 creates a secure wireless tunnel that protects all your communications. Move along, nothing to see here :-).

Re:WPA2 will work better against this hack (2, Interesting)

Instant_Karmma (1730260) | more than 2 years ago | (#34011314)

This works on any network segment, including wired. How many people do you know that use Facebook, Amazon, etc. from their desks? Sure, your traffic could always be monitored by the PFY's in the data center, but now your pointy-haired boss has a tool that allows him to see what you've been buying. No thanks.

Re:WPA2 will work better against this hack (0)

Anonymous Coward | more than 2 years ago | (#34011642)

This works on any network segment, including wired.

How many people do you know that use Facebook, Amazon, etc. from their desks? Sure, your traffic could always be monitored by the PFY's in the data center, but now your pointy-haired boss has a tool that allows him to see what you've been buying.

No thanks.

Ah no. In most wired networks, the data is switched, and only travels down the wires it needs to. Your packets are not broadcasted to your boss's network jack. Unless he asks IT to set that up in the switch anyway.

Re:WPA2 will work better against this hack (1)

crunzh (1082841) | more than 2 years ago | (#34011986)

Only if its not a switched network. WPA2 will work against this as the users can't see each others traffic.

Re:WPA2 will work better against this hack (1)

Mashiara (5631) | more than 2 years ago | (#34012242)

Actually on wired network it depends on the switching hardware whether you're getting packets meant for others on your port or not (discounting active mac/arp spoofing but with properly configured high-end HW you will find yourself in an isolated network segment really quickly if you try that)

Mobile Apps (1)

Don_dumb (927108) | more than 2 years ago | (#34011488)

It seems that this is most concerning for those loggining in while using public networks (such as accessing with a cafe's WiFi).

So this leads me to ask if I am safer when using the Facebook/Amazon/eBay app rather than the mobile browser. Is the security of the iPhone or android apps better than the web security for Facebook?
Or can I make my access of these sites more secure myself somehow?

I must be really really old... (1)

X.25 (255792) | more than 2 years ago | (#34011996)

I really miss the old good days, where talks on security conferences would blow you away, and where people would actually talk about new security related things, rather than showing 76th way of automating a process/procedure that has been known for 10 years (always involving grabbing [flavor of the month service]'s password).

Oh well, guess people were in security world for different reasons 10 years ago...

Where are the Google apologists now? (0)

Anonymous Coward | more than 2 years ago | (#34012130)

Where are the guys who keeping saying sending out unencrypted packets are the users' fault?

Hey, you should know your connection to Facebook is not encrypted, so anyone sniffing your packets is your own fault.

Oh, this rule only applies when otherwise Google would be blamed? My bad.

Spread this (1)

Amorymeltzer (1213818) | more than 2 years ago | (#34012236)

This needs to be heard by everyone. NOW. Sure, your New York Times access is largely trivial, but Facebook and gmail access? That's someone's life. Amazon, and soon Netflix, PayPal, and eBay? That's someone's money. Maybe once people start losing money and their jobs websites will realize the severity of security, as that's usually when it hits home. But until then, very neat.

Protect yourself: https://addons.mozilla.org/en-US/firefox/addon/12714/ [mozilla.org]

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...