Firefox Plug-in Snatches Facebook, Twitter Account Info

| News

A new Firefox plug-in is ruffling security feathers thanks to its ability to snatch Web browser cookies for sites such as Facebook and Twitter and gain access to user’s accounts. The plug-in, called Firesheep, lets users see Web pages they shouldn’t have access to and in many cases they can post as if they were the account owner.

“When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a ‘cookie’ which is used by your browser for all subsequent requests,” Firesheep developer Eric Butler said on his Web site.

With access to that initial cookie, someone could pose as the account owner and see anything the actual account owner would normally have access to including private messages. The process of intercepting those cookies is called “sidejacking.”

Firesheep: Snaging account authentication cookies on a network near you.

“On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy,” Mr. Butler said.

The Mac Observer’s tests showed that using the Firesheep plug-in only requires knowing how to install Firefox plug-ins. Once installed, the plug-in can be used to access the Facebook, Twitter, Yahoo!, Google and Amazon accounts of other users on the same network. The plug-in can intercept cookies for several other Web sites, too.

In TMO’s tests, we accessed a Facebook account and were able to post a message on the user’s wall as if we were the actual account owner.

Our tests also showed that using client apps on the iPhone and iPad, such as Twitter clients and Amazon’s own app, didn’t transfer information that Firesheep was able to intercept.

While the process of sidejacking isn’t new, Firesheep makes it surprisingly simple for nearly anyone to exploit the potential security flaw.

Fixing the problem for Web browsers requires sites to employ more secure communication protocols such as HTTPS or SSL. So far none of the companies TMO has contacted about the issue have replied.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

geoduck

This is seriously scary stuff.

A new Firefox plug-in is ruffling security feathers thanks to its ability to snatch Web browser cookies for sites such as Facebook and Twitter and gain access to user?s accounts.

Am I correct in understanding that this plug in listens to ambient WiFi and catches raw cookies out of the air as they pass?

Holy C***!

Jeff Gamet

Am I correct in understanding that this plug in listens to ambient WiFi and catches raw cookies out of the air as they pass?

That’s pretty much it. Once I installed the plug-in and joined an open network Firesheep was able to snatch the authentication cookies from unsecure logins without any action on my part. Jumping into someone’s account is as simple as double-clicking their name in the Firefox sidebar.

Nemo

Well, since Apple is the only Vendor/OEM that I am aware of that vets apps prior to allowing them on its App Store, all the rest, Google, Mozilla, et al, are subject to developers of bad character doing this kind of crap, with their only remedy being taking down the app after the fact.  I hope that the Mac Observer asked Mozilla how long it will take for it to remove the Firesheep from its Add-ons website.

Nemo

Also, it has been reported that Apple and Google have kill switches in their respective iOS and Android operating systems.  I don’t think that Mozilla has any such ability to delete installed plugins.  Or does it?  The Mac Observer might also ask whether Mozilla has a kill switch for FireFox.  And, if it does, will it use it to remove installed instances of Firesheep from Firefox.

iVoid

Nemo, you realize the real problem is not with this plug-in but with the websites that don’t use a secure connection to transmit cookies/verify passwords, don’t you?

This plug-in is a tool that shows a serious flaw and hopefully will prompt the companies involved to improve the security of their websites.

All banning the plug-in would do is keep the security problem out of sight and allow hackers to exploit it as they see fit.

So if you want to improve security, having a tool like this available will prompt security improvements.

Banning it only allows you pretend there is no problem.

Help on hacker heroes vs banning nefarious crud?

As a She’sGeeky kinda gal, I’d like a balanced POV from hacker-ville in terms of banning/disallowing apps & plug-ins that create chaos (in my parenting/youth sphere, it’s the teen scene, so I have HUGE issues with cyberbullying opps like txtspoof.com that literally put the Molotov cocktail in kids’ hands and encourage them to ready aim/fire toward flaming frenemies) just because they ‘can.’ (often hackers say it’s about ‘finding the holes and testing the limits’)

While I understand the value in correcting security breaches there’s a wide swath of “uh-oh” that exposes and undermines human beings far beyond privacy and cookie setting, which we all know has led to some REALLY unfortunate digital misfires. (e.g. suicides of teens, etc)

I guess I’m asking…where is the legal line of ethics and limitation? Cookie snatching, financial exposure, privacy & beyond…when we scramble to ‘FIX’ it after the damage has been done? What about some pre-emptive logic here?

I realize cutting off a hacker or whacking a plug-in or mischievous app often only asks for yet another Medusasnake-like tendril to grow back even faster, but the damage done in this digital frontier sans vigilance in ‘find-n-fix’ mode is HUGE.

Preventive tactics? Security thoughts? ANYone?
@ShapingYouth

geoduck

Question:
If traffic between the WAP and the computer is encrypted would that keep this from being able to grab the cookies?

iVoid

If traffic between the WAP and the computer is encrypted would that keep this from being able to grab the cookies?

Yup, it looks like just affects open networks (which are dangerous to use regardless of this plugin).

geoduck

Then that would be the best advice for Help on Hacker ...yadda… yadda… yadda.

Make sure your network is encrypted. WPA2 is what we use.

ctopher

But it doesn’t have to be wireless. I ran it on my desktop (no wireless) and it saw the cookies my laptop was serving up (windows Live) on my laptop with the wireless turned off, but connected (Cat 5) to the same internet gateway.

This is not a wireless issue, it’s a network issue. The benefit of WPA etc. is that it encrypts the data. But, a wired network doesn’t bother to encrypt.

In the case of a school or business, it may be MORE secure to connect wirelessly using WPA etc. rather than connecting via a wire.

ctopher

Why did this topic fall off the front page list of news items? It’s also no longer in the RSS feed.

Ed

ctopher - most wired traffic is switched, so you only see the packets destined for you. You sound like you are on an unswitched network (e.g. just a dumb hub feeding your machines rather than a router with NAT, etc.), which is why you would be able to see that data. Most wired networks are not set up like that.

ctopher

You’re right! I have a really old 10-base T Hub that is connected to the router and all the computers connect to it.

Log-in to comment