I’m sitting here in Starbucks right now playing around with something called firesheep. Some of you may have heard of it as it’s been in the web news a lot in the last few days.
Let me give you a bit of background on what exactly firesheep is.
Firesheep is a Firerfox add-in that demonstrates just exactly how insecure those ‘secure’ sites are. The sites I’m talking about are:
Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facbook, Flickr, foursquare, GitHub, Google, Gowalla, Hacker News, Harvest, Windows Live, New York Times, Pivotal Tracker, ToorCon: San Diego, Slicehost SliceManager, tumblr.com, Twitter, WordPress, Yahoo and Yelp
What it does is monitor the wi-fi network and grab any of the cookies that are posted to those sites as people are logging in and authenticating to the sites with their accounts. The initial login may be encrypted, but the ensuing cookie used by the sites to keep a track of the sessions aren’t.
A better and full description of what Firesheep does is here, from the author’s web site (Code Butler – http://codebutler.com/firesheep):
When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a “cookie” which is used by your browser for all subsequent requests.
It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else.
This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called “sidejacking”) is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.
This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new “privacy” features in an endless attempt to quell the screams of unhappy users, but what’s the point when someone can just take over an account entirely?
Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.
I’ll bet my entire years pay that you have used at least two out of all of the above listed sites at least once in the last week (assuming you have a network connection and you have had the time to get online for one reason or another).
You may also notice that there are a few sites up there that people think are ‘hack proof’ or so security conscious that they can’t be hacked by simple ‘leapfrog’ or hi-jacking attempts (as some people have said in previous posts here).
There are very few requirements to using Firesheep. They are:
– Mac OS X: 10.5 or newer on an Intel Processor
– Windows: XP or newer. Install Winpcap first!
– Firefox: 3.6.12 or newer. 32-bit only. Fireforx 4.x beta is currently not supported
Once you have it downloaded and installed, that’s it. Open Firefox, open the side panel, click on start capture and start getting what you want.
You don’t even have to have a live session to get back into the peoples accounts. You can just save them for later and go about your business collecting and playing later. I can see this as a GREAT tool for law enforcement or military intelligence use as well as a great evil tool for stalkers.
The capture process does capture quite a bit, and tells it all to you in an easy to understand format (if you know what you’re looking at).
As I was playing around with it, I was sitting in a Starbucks and it started to get a little busy. While ‘browsing’ I was able to capture several users information and with the help of a previously unaware user, I was able to verify that I can indeed log in as her and do whatever I wanted to do.
Let me explain something here, this tool gives you incredible power over someone’s account. Just about the only thing that you could not do, would be to access an area that requests password verification a second time of the site that you are on. I located the user that I had captured and approached them.
I introduced myself and let them know that I was doing an article for a magazine on the lack of security of some of the sites that they was visiting (in fact they visited 5 out of the sites listed within 20 minutes). I explained exactly what I was doing and asked if I could log in as them.
They were hesitant till I produced my credentials (drivers license, business card, etc) and they asked if I wanted their password or if I wanted them to log in. I said no, I just wanted permission to attempt to log in as them. They gave me their computer and I stated that I didn’t need it.
I then showed them my screen and let them watch what I was doing. I double clicked on the icon in my side bar and in fact made a posting from their Facebook and Twitter account with no problems.
At this point, let me explain to you that they just about jumped out of their skin. They looked quite worried. I assured them that I was not intending to do anything malicious and to prove it I removed the information from my system and cleared the cache.
I did let them know that they needs to be a little weary of open wi-fi access points and just because they ‘think’ they’re safe, they need to be careful of where they’re logging in.
We spoke for about another 30-40 minutes after I showed them this and I gave them a few pointers on internet security as well as helping to tighten down the facebook profile.
I think that we have another user that’s going to be playing with Firesheep (since it’s so easy even a caveman can do it), even though before today all they really used the computer for was to Facebook, Tweet and buy a few things from Amazon.com.
Because of the information that is stored within the cookies as well as some of the login information within the application, I’m not giving you actual screen shots of my attempt however; I have provided screen shots from the authors website to give you an idea.
In another article, I’ll be examining ways to block Firesheep and how to know when you’re being sniffed.
So, now that you’ve seen proof that these sites can be ‘hacked’ what are your thoughts on this? Have you heard about Firesheep? Are you using BlackSheep or Firesheep yourself?
Information Security Correspondent
Norm W. is an information security engineer currently employed as a CONUS civilian contractor. He has worked in the computer industry for the past 20 years and holds several security and non-security related IT certifications. Norm has worked with multiple agencies in the private and public sector as well as foreign companies and agencies to resolve information security issues.