Firesheep exposes Cookie flaws.

**harrybarracuda** · 26-10-2010, 09:28 PM

No more surfing your non-SSL login sites on free Wifi (that's if you did) - even the script kiddies can do this:

A new extension for the Firefox web browser allows users to hijack the accounts of people logging into sites such as Facebook and Twitter on unsecured wireless networks.

The Firesheep tool has been created by Seattle developer Eric Butler to expose the lax privacy measures of some of the most popular sites on the web.

As soon as anyone on an unsecured network logs into an insecure website, their name and photo will be displayed in the Firesheep window ready to be exploited.

The software works by latching onto the 'cookies' that contain information about a user's web session. As Butler explains: "On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy."

Butler says the risk could be avoided if all sites became fully-encrypted, like the secure ones used for online banking.

He writes on his blog: "Facebook is constantly rolling out new "privacy" features in an endless attempt to quell the screams of unhappy users, but what's the point when someone can just take over an account entirely?

"Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website."

Tom Martin, a developer at the 383 Project in Birmingham, explained how Firesheep works and what exactly it does:

"The hack works by intercepting traffic between your computer and sites like Facebook and Twitter. The app steals cookies and allows you to impersonate another user on the network. Even if your home or office network is secure anywhere you use a public network you could be in trouble - even iPhones connected to The Cloud in public areas such as cafes and shopping centers could be vulnerable to this type of attack.

"Facebook already takes steps to prevent sign in fraud if it detects a sign in from another location or country, but as the victim and attacker are likely to be psychically close to the attacker this type of defence will be ineffective. Facebook and Twitter can secure there sign in process by using SSL, this is the same technology used by banks and online retailers to protect your connection."

**dirtydog** · 26-10-2010, 10:12 PM

Hmmm, cookies with passwords in? Nope.

From pcworld.

Before privacy hawks freak out, it's not quite as bad as it sounds. Because Firesheep uses information swiped from cookies, it won't reveal passwords to any snoopers --just a person's username and session number ID. So, while people might be able to see sensitive information (say, the person's Facebook account), they can't do anything that requires the password (for example, in Amazon, they won't be able to purchase anything or access credit card information).

Furthermore, Firesheep is limited to hacking people on the same network -- so if you're on a password-protected network, only people on that network will potentially be able to get your information. Of course, this means that you should be extra careful while on an open or public Wi-Fi network.

Butler told TechCrunch that the extension was designed to raise security awareness in both users and website administrators:

**harrybarracuda** · 27-10-2010, 11:59 AM

Where did it mention cookies with passwords?

It says "The app steals cookies and allows you to impersonate another user on the network.".

It highlights an inherent flaw in many sites once you have logged in.

**dirtydog** · 27-10-2010, 05:46 PM

You need a password to log in, obviously you can confuse the software if you have other peoples cookies, but you can do that yourself using a cookie editor or just a notepad if you have a few of the cookies, but still can't log in as them unless you have the password.

**harrybarracuda** · 27-10-2010, 06:11 PM

Originally Posted by dirtydog

You need a password to log in, obviously you can confuse the software if you have other peoples cookies, but you can do that yourself using a cookie editor or just a notepad if you have a few of the cookies, but still can't log in as them unless you have the password.

I think the thrust of the project is to point out that many sites, once login credentials have been accepted and verified, will simply rely on cookies to keep the session open.

Which means you can impersonate someone already logged in.

Let's hope it encourages web developers to not be so frigging lazy, which is what it's designed to do.

Added: I should elaborate. This is not a newly discovered security hole. Firesheep requires WinPCap to be installed, which has been available for years.

What it does do, though, is remove the need to manually examine captured packets and work out which cookie is going to which IP. It very much simplifies the whole process. Hence my comment in the very first line that now "even script kiddies can do this". You install it, wait until it gives you a user, click on it and see if you can hijack their session. Dreadfully simple.

So for a while, at least, there will be a surge in people using it, without any other motivation than being nosy; which doesn't mitigate the possibility that now those not quite so technical will also try and use it nefariously.

But as it only applies to unencrypted sessions on inherently insecure servers over unencrypted Wifi, it really isn't going to bother me too much. I tend not to line up the dominoes like that

**harrybarracuda** · 28-10-2010, 01:49 PM

A little addendum:

Butler’s program empowered 104,000 lazy people to download it the first day. (Later updated by Butler to 129,000.) It has also led to a counter-tool called Idiocy, a virtual hand slap that does a session hijack, posts a warning tweet, and then tells victims what to do in order to prevent it from happening again.
In his follow-on blog post, Butler continues to insist he’s a good guy interested only in your security, says Firesheep only puts a pretty user interface on tools that already exist, and attacks sites which either charge for use of https or implement it sparingly claiming a performance hit

**harrybarracuda** · 28-10-2010, 02:11 PM

And now you can upset Twidiots as well.

jonty.co.uk/idiocy

Thread: Firesheep exposes Cookie flaws.

Thread Tools

Display

Firesheep exposes Cookie flaws.

Thread Information

Users Browsing this Thread

Posting Permissions