Facebook uses browser cookies to identify who you are. These are transmitted unencrypted across wireless networks. As such, it is easy for someone to listen in, copy the cookies, and then use them to impersonate you. Firesheep is a Firefox plugin that automates this process.
Sharing a wireless connection with a bunch of flatmates? Any of them can easily access all your Facebook information or impersonate you. Same goes for people in coffee shops, libraries, on vehicles with WiFi, and so on.
Bruce Schneier brought the attack to my attention and also suggests a good countermeasure: forcing Facebook to use encrypted HTTPS connections using other plugins.
Of course, HTTPS is vulnerable to man-in-the-middle attacks, but that is probably beyond the scope of what some random Facebook hacker would attempt. That being said, what I said before about Facebook and privacy holds true – you are best off only putting things on the site that you are happy for everybody in the world to see. That applies as much to private messages between users and ‘private’ photo albums as it does to status updates broadcase to one and all.
Liar, Liar, Sheep on Fire
Glenn Fleishman at 9:00 AM Wednesday, Oct 27, 2010
Firesheep should freak you out, at least for a moment. It’s a Firefox extension that lets any normal human being–I’m not talking about you, BoingBoing readers–install the add-on and then steal the active sessions of people using unencrypted browsing sessions with popular online services on the same Wi-Fi network. This involves no Wi-Fi foolery, because the necessary network traffic is openly available.
Walk into any busy coffeeshop, fire up the ‘sheep, and a list of potential identities to assume at any of two dozen popular sites appears. Double-click, and you snarf their identifying token, and log in to the site in question as that person.
Firesheep is a business-model tour de force, not a zero-day technical one. It’s a proof of concept that repackages and expands on earlier security research to expose a failure in the risk profile adopted by Web sites on behalf of their unsuspecting users. There’s no money to be made by a Web site in fixing this problem for its customers or readers. Thus, only a security-conscious CIO might be able to push through the budget item necessary to bump the back-end systems up to the level needed.
Firesheep is a public relations exploit, too; it’s so easy to use and to demonstrate that it shot round the world. Previous demonstrations spread the word in the tech community, and a little beyond. Firesheep is telegenic.
This exploit also works with Amazon.com. It can be used to cancel existing orders, or even place new ones for those with 1-click shopping enabled.
Friends of mine seem to get their Facebook accounts hacked pretty often – usually just to send spam.
I guess I should be glad interference in my house keeps me from using WiFi at all. Go old-fashioned Ethernet, snaking across the floor.
Thanks for this, Milan.
1. The attacker needs to be able to “sniff” the network packets, in order to grab the cookie. Firesheep doesn’t do that by itself, but works with packet capture software that comes standard on many computers (or can be freely downloaded). The attacker places himself on the same network as the victim – such as a wireless hotspot in a coffee shop – and if the network is unencrypted, the attacker can eavesdrop on all traffic that flows over the wireless link.
2. Firesheep then monitors the network traffic, looking for a “cookie” to be sent. When you log in to certain websites, you first provide a username and password, which are often sent encrypted. (You’ll see “https:” in the URL of encrypted pages.) However, after you log in successfully, some sites use a session cookie that stays active during your login: anyone who captures and sends that cookie to the originating website can mimic you. If you log in to Twitter, for example, session cookies are then sent between your computer and Twitter, which the attacker can then exploit to send tweets under your name.
The attacker doesn’t need to know your password: the website will simply believe the attacker is you, because they have your cookie. Many websites only protect the login page (encrypting your username and password), but turn off the encryption on the rest of the website. Result? Cookies are sent in the clear (unencrypted), attackers can intercept them, then hijack your session and gain access to your account. There is no way to detect that someone else on your Wi-Fi connection is using Firesheep. This vulnerability has been noted on a number of websites, including Flickr, Tumblr, and WordPress.
Slashdot already covered Firesheep, the Firefox extension that makes it easier to steal logins and take over social media and email accounts after users log in from a WiFi hotspot or even their own unprotected network. Zscaler researchers have created, and are now offering to every consumer, a free Firefox plugin called BlackSheep, which serves as a counter-measure. BlackSheep combats Firesheep by monitoring traffic and then alerting users if Firesheep is being used on the network. BlackSheep does this by dropping ‘fake’ session ID information on the wire and then monitors traffic to see if it has been hijacked.
Firesheep sniffs unsecured connections with major Web sites over local networks and lets a user with the Firefox plug-in installed sidejack those sessions. A trope has spread that the way to solve this problem is to password protect open Wi-Fi networks, such as those run by AT&T at Starbucks and McDonald’s. The technical argument is that on a WPA/WPA2 (Wi-Fi Protected Access) network in which a common shared password is used, the access point nonetheless generates a unique key for each client when it connects. You can’t just know the network password and decode all the traffic, as with the broken WEP (Wired Equivalent Privacy) encryption that first shipped with 802.11b back in the late 1990s.
Steve Gibson, a veteran computer-security writer and developer, suggested this the moment Firesheep was announced. A blog post at security consultant Sophos makes the same suggestion. But it won’t work for long.
Gibson notes the key problem to this approach in the comments to his post: every user with the shared key can sniff the transaction in which another client is assigned its unique key, and duplicate it. Further, if you join a network with many clients already connected, you can use the aircrack-ng suite to force a deauthentication. That doesn’t drop a client off the network; rather, it forces its Wi-Fi drivers to perform a new handshake in which all the details are exposed to derive the key.
Thus, you could defeat Firesheep today by assigning a shared key to a Wi-Fi network until the point at which some clever person simply grafts aircrack-ng into Firesheep to create an automated way to deauth clients, snatch their keys, and then perform the normal sheepshearing operations to grab tokens. I would suspect this might be dubbed Firecracker
EFF’s latest HTTPS Everywhere plugin helps protect against Firesheep-style attacks
Cory Doctorow at 9:09 AM Tuesday, Nov 23, 2010
The new version of the Electronic Frontier Foundation’s excellent HTTPS Everywhere browser tool specifically protects against having your credentials to many popular sites lifted with Firesheep (as well as by deliberately malicious tools that actual bad guys make). Wherever a site allows for SSL throughout your session, HTTPS Everywhere will add this. I was recently at EFF and asked Seth Schoen, a staff technologist, to print my boarding card for the next day’s flight from his computer. It took a long time. When I asked why this was, Seth told me that he’d realized that Continental didn’t use SSL to transmit boarding cards by default, but that they supported it, so he was adding a HTTPS Everywhere rule to make sure all the HTTPS Everywhere users who used Continental’s boarding pass service would be protected in future. EFF is adding new sites by the shovel-load, making the free/open HTTPS Everywhere indispensable.
You can enter a Twitter or Flickr username into the software’s interface, or use the in-built search utility to find users of interest. When you hit the ‘Geolocate Target’ button, Creepy goes off and uses the services’ APIs to download every photo or tweet they’ve ever published, analysing each for that critical piece of information: the user’s location at the time.
While Twitter’s geolocation setting is optional, images shared on the service via sites like Twitpic and Yfrog are often taken on a smartphone – which, unbeknownst to the user, records the location information in the EXIF data of the image. Creepy finds these photos, downloads them, and extracts the location data.
When the software finishes its run, it presents you with a map visualising every location that it found – and that’s when the hairs on the back of your neck go up. While the location of an individual tweet might not reveal much, visualising a user’s history on a map reveals clusters around their home, their workplace, and the areas they hang out. Everything a stalker could need, in other words.
“Facebook this week will begin turning on secure browsing by default for its millions of users in North America. The change will make HTTPS the default connection option for all Facebook sessions for those users, a shift that gives them a good baseline level of security and will help prevent some common attacks. Facebook users have had the option of turning on HTTPS since early 2011 when the company reacted to attention surrounding the Firesheep attacks. However, the technology was not enabled by default and users have had to opt-in and manually make the change in order to get the better protection of HTTPS.”