Firefox Plug-in Snatches Facebook, Twitter Account Info

News

Jeff Gamet

4:53 PM, Oct. 25th ET, 2010

Articles by Author Jeff Gamet on Twitter Contact Author Bio

Comments (13)

A new Firefox plug-in is ruffling security feathers thanks to its ability to snatch Web browser cookies for sites such as Facebook and Twitter and gain access to user’s accounts. The plug-in, called Firesheep, lets users see Web pages they shouldn’t have access to and in many cases they can post as if they were the account owner.

“When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a ‘cookie’ which is used by your browser for all subsequent requests,” Firesheep developer Eric Butler said on his Web site.

With access to that initial cookie, someone could pose as the account owner and see anything the actual account owner would normally have access to including private messages. The process of intercepting those cookies is called “sidejacking.”

Firesheep: Snaging account authentication cookies on a network near you.

“On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy,” Mr. Butler said.

The Mac Observer’s tests showed that using the Firesheep plug-in only requires knowing how to install Firefox plug-ins. Once installed, the plug-in can be used to access the Facebook, Twitter, Yahoo!, Google and Amazon accounts of other users on the same network. The plug-in can intercept cookies for several other Web sites, too.

In TMO’s tests, we accessed a Facebook account and were able to post a message on the user’s wall as if we were the actual account owner.

Our tests also showed that using client apps on the iPhone and iPad, such as Twitter clients and Amazon’s own app, didn’t transfer information that Firesheep was able to intercept.

While the process of sidejacking isn’t new, Firesheep makes it surprisingly simple for nearly anyone to exploit the potential security flaw.

Fixing the problem for Web browsers requires sites to employ more secure communication protocols such as HTTPS or SSL. So far none of the companies TMO has contacted about the issue have replied.

Post A Comment or Log-in. Need an account? Register here.

13 Observer Comments

geoduck

said on October 25th, 2010 at 4:13 PM (Edited: 01/26/2012 2:46 PM):

This is seriously scary stuff.

A new Firefox plug-in is ruffling security feathers thanks to its ability to snatch Web browser cookies for sites such as Facebook and Twitter and gain access to user’s accounts.

Am I correct in understanding that this plug in listens to ambient WiFi and catches raw cookies out of the air as they pass?

Holy C***!

Jeff Gamet said on October 25th, 2010 at 4:47 PM:

Am I correct in understanding that this plug in listens to ambient WiFi and catches raw cookies out of the air as they pass?

That’s pretty much it. Once I installed the plug-in and joined an open network Firesheep was able to snatch the authentication cookies from unsecure logins without any action on my part. Jumping into someone’s account is as simple as double-clicking their name in the Firefox sidebar.

Nemo

said on October 25th, 2010 at 4:47 PM (Edited: 04/06/2011 11:14 AM):

Well, since Apple is the only Vendor/OEM that I am aware of that vets apps prior to allowing them on its App Store, all the rest, Google, Mozilla, et al, are subject to developers of bad character doing this kind of crap, with their only remedy being taking down the app after the fact. I hope that the Mac Observer asked Mozilla how long it will take for it to remove the Firesheep from its Add-ons website.

Nemo

said on October 25th, 2010 at 4:53 PM (Edited: 04/06/2011 11:14 AM):

Also, it has been reported that Apple and Google have kill switches in their respective iOS and Android operating systems. I don’t think that Mozilla has any such ability to delete installed plugins. Or does it? The Mac Observer might also ask whether Mozilla has a kill switch for FireFox. And, if it does, will it use it to remove installed instances of Firesheep from Firefox.

iVoid

said on October 25th, 2010 at 4:59 PM (Edited: 10/25/2010 5:01 PM):

Nemo, you realize the real problem is not with this plug-in but with the websites that don’t use a secure connection to transmit cookies/verify passwords, don’t you?

This plug-in is a tool that shows a serious flaw and hopefully will prompt the companies involved to improve the security of their websites.

All banning the plug-in would do is keep the security problem out of sight and allow hackers to exploit it as they see fit.

So if you want to improve security, having a tool like this available will prompt security improvements.

Banning it only allows you pretend there is no problem.

Help on hacker heroes vs banning nefarious crud? said on October 25th, 2010 at 6:17 PM:

As a She’sGeeky kinda gal, I’d like a balanced POV from hacker-ville in terms of banning/disallowing apps & plug-ins that create chaos (in my parenting/youth sphere, it’s the teen scene, so I have HUGE issues with cyberbullying opps like txtspoof.com that literally put the Molotov cocktail in kids’ hands and encourage them to ready aim/fire toward flaming frenemies) just because they ‘can.’ (often hackers say it’s about ‘finding the holes and testing the limits’)

While I understand the value in correcting security breaches there’s a wide swath of “uh-oh” that exposes and undermines human beings far beyond privacy and cookie setting, which we all know has led to some REALLY unfortunate digital misfires. (e.g. suicides of teens, etc)

I guess I’m asking…where is the legal line of ethics and limitation? Cookie snatching, financial exposure, privacy & beyond…when we scramble to ‘FIX’ it after the damage has been done? What about some pre-emptive logic here?

I realize cutting off a hacker or whacking a plug-in or mischievous app often only asks for yet another Medusasnake-like tendril to grow back even faster, but the damage done in this digital frontier sans vigilance in ‘find-n-fix’ mode is HUGE.

Preventive tactics? Security thoughts? ANYone?
@ShapingYouth

geoduck

said on October 25th, 2010 at 6:26 PM (Edited: 01/26/2012 2:46 PM):

Question:
If traffic between the WAP and the computer is encrypted would that keep this from being able to grab the cookies?

iVoid

said on October 25th, 2010 at 6:40 PM:

If traffic between the WAP and the computer is encrypted would that keep this from being able to grab the cookies?

Yup, it looks like just affects open networks (which are dangerous to use regardless of this plugin).

geoduck

said on October 25th, 2010 at 7:09 PM (Edited: 01/26/2012 2:46 PM):

Then that would be the best advice for Help on Hacker ...yadda… yadda… yadda.

Make sure your network is encrypted. WPA2 is what we use.

ctopher

said on October 26th, 2010 at 5:05 PM:

But it doesn’t have to be wireless. I ran it on my desktop (no wireless) and it saw the cookies my laptop was serving up (windows Live) on my laptop with the wireless turned off, but connected (Cat 5) to the same internet gateway.

This is not a wireless issue, it’s a network issue. The benefit of WPA etc. is that it encrypts the data. But, a wired network doesn’t bother to encrypt.

In the case of a school or business, it may be MORE secure to connect wirelessly using WPA etc. rather than connecting via a wire.

ctopher

said on October 27th, 2010 at 9:18 AM:

Why did this topic fall off the front page list of news items? It’s also no longer in the RSS feed.

Ed said on October 27th, 2010 at 2:37 PM:

ctopher - most wired traffic is switched, so you only see the packets destined for you. You sound like you are on an unswitched network (e.g. just a dumb hub feeding your machines rather than a router with NAT, etc.), which is why you would be able to see that data. Most wired networks are not set up like that.

ctopher

said on October 29th, 2010 at 3:29 PM:

You’re right! I have a really old 10-base T Hub that is connected to the router and all the computers connect to it.

Post A Comment or Log-in. Need an account? Register here.

Recent Headlines - Updated May 27th

Sat, 10:00 AM: MacOS KenDensed - MacOS KenDensed: Apple’s Patent Lawsuit & Antitrust Shuffle
Fri, 5:58 PM: News - Sotheby’s to Auction Steve Jobs Atari Memo (Photo Gallery)
5:42 PM: Free on iTunes - 3 Free iOS Apps for News Hounds
3:00 PM: Rumor - Nest Thermostat Reportedly Coming to Apple Retail Stores
2:40 PM: Particle Debris - The TV Industry’s Dreadful Little Secret
2:33 PM: News - Mobile Devices Account for 20% of Web Traffic in US, Canada
12:49 PM: News - Apple Now Offering “Free App of the Week” for iOS
12:21 PM: News - Tim Cook Declines $75 Million Dividend Payout
11:25 AM: News - Absinthe 2.0 Provides Untethered Jailbreak for iOS 5.1.1
11:09 AM: Quick Look Review - F18 Carrier Landing (iOS) is a Boatload of Fun
10:51 AM: TMO Appearances - Jeff Gamet talks Cool Apps & Accessories on Not Another Mac Podcast
10:12 AM: Hot Forum Topic - Forum Poll: Which is Your Favorite Photo Sharing Service?

The Mac Observer Reader Specials

Macsales.com SuperSpeed SSDs from $58. Transform your Mac with an SSD Solution of up to 960GB! You won't believe it's the same machine! Once you experience an OWC SSD, no going back! - Macsales.com
Mac RAM Upgrades: MacBook Pro 16GB kits $475, 8GB Kits for $119.99! iMac 16GB RAM Kits (4x 4GB) for $229.99! Mac Pro Memory 32GB Kit for $399.99, 64GB Kit for $889.99! Mac Hard Drives 2TB Seagate SATA II for $249.99! Click Here!
If you're using a Mac, then you've gotta check out PokerOnAMac.com. Online casinos and poker rooms are literally giving away cash and the casino sites at Poker on a Mac do the unthinkable, they actually reward! Join today, the download is free!
Looking to find online casinos for mac? We can help you find the best real money casino sites where you can play your favorite casino games including blackjack and slots.

Buy Stuff, Support TMO via Apple or Amazon
Deals from DealBrothers.com
Reader Specials
Read TMO on Kindle
TMO on Twitter and FaceBook:

Apple Stock Quote (AAPL)

Last trade: $---.-- $---.--
Market cap: $---.--
Discuss in our Apple Finance Board

Quotes are delayed. Currency in USD

Hot Topics

What's the buzz? These articles have TMO readers talking.

Samsung: Apple’s Trial Experts Are “Slavish” Fanboys - 19 Comments
Forrester: Maybe Apple’s TV Isn’t a TV - 9 Comments
The TV Industry’s Dreadful Little Secret - 8 Comments
Analyst: Apple to Offer iPhone 3GS as Pre-Paid Option - 8 Comments
Jonathan Ive Calls Apple’s Current Project the “Most Important” - 7 Comments
Estimated Apple TV Sales to Date: 6.3 Million - 7 Comments

TMO Express

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday. Find out more!

Top Deals From DealBrothers.com

Recent Features

Get the latest installments of TMO Columns, Podcasts, & Blogs.

© The Mac Observer, Inc. -- All rights reserved. All information presented on this site is copyrighted by The Mac Observer, Inc. except where otherwise noted. No portion of this site may be copied without express written consent. Other sites are invited to link to any aspect of this site provided that all content is presented in its original form and is not placed within another frame. The Mac Observer is an independent publication and has not been authorized, sponsored, or otherwise approved by Apple, Inc.