Since a few days there is a new Firefox extension called Firesheep which extracts passwords from wifi connections as if it was childsplay... which it is. Websites like Twitter and Facebook are surprisingly careless on this issue and I urge everyone to take a look into this matter as soon as possible. I'll post the blogpost dealing with the issue (http://codebutler.com/firesheep) of the developer of Firesheep here:


Firesheep

When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a "cookie" which is used by your browser for all subsequent requests.
It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new "privacy" features in an endless attempt to quell the screams of unhappy users, but what's the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.

Today at Toorcon 12 (http://sandiego.toorcon.org/) I announced the release of Firesheep (http://codebutler.github.com/firesheep), a Firefox extension designed to demonstrate just how serious this problem is.

After installing the extension you'll see a new sidebar. Connect to any busy open wifi network and click the big "Start Capturing" button. Then wait.

http://posterous.com/getfile/files.posterous.com/codebutler/R4SK9YORZrJ2Frgy2f3SHFauDrempyLu0myyULhlxAF05wzIAX 6Gn4j79x3c/one.png

As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed:

http://posterous.com/getfile/files.posterous.com/codebutler/6nvpA0znHaNMLWR5DvqsHwLD16E6Z7VwkiGHl9RnK2zKvuWSF3 mGMj88Rtgm/two.png

Double-click on someone, and you're instantly logged in as them.

http://posterous.com/getfile/files.posterous.com/codebutler/KBw6HGlZ05ptbrg2kPOMPm2z2o1WxrP8bmAKDEybQVUfIKXEan zqIebB7j3L/three.png

That's it.

Firesheep (http://codebutler.github.com/firesheep) is free, open source, and is available now for Mac OS X and Windows. Linux support is on the way.

Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.

Yeah, I heard about this. In some ways, it's kind of scary, but I try to avoid any password protected site on public wifi's anyway. In some ways it's pretty fucking cool!

well, now that I know I can easily cop anyone's Facebook and Twitter account passwords by simply installing a Firefox extension, I feel stupid for all these years of setting up fake accounts under aliases, and communicating with others that way! perhaps I'm really khad, or Q, or both..?

This is scary... thanks for the heads up!

Why is revleft not using HTTPS? Our passwords can just as easily be snooped.

Why is revleft not using HTTPS? Our passwords can just as easily be snooped.

We're aware of the issue and discussing appropriate measures. For now I advise everyone not to login through a wireless connection, if possible. To be sure you're doing this right:

1. Connect a lan-cable to your laptop, computer or other computing device. You should automatically connect, if not, connect manually through this.
2. Disconnect from your wireless connection.
3. Login to Revleft.
4. You can now safely reconnect to your wireless and disconnect your lan-cable.

For clarity's sake: You're even at risk when you're simply accessing Revleft after your session expired and your browser resends out a cookie to auto-login (if you have auto-login enabled).

Sorry for the inconvenience.

What about auto-logins? Doesn't this mean that I allow a cookie to be saved on my comp and whenever I open the revleft.com homepage I'm already logged in? Does this mean there are no cookies transferred (after the initial one)?

- August

For now I advise everyone not to login through a wireless connection, if possible.

No, the correct advice would be not to login from an open wireless connection like at airports, cafes etc.

No, the correct advice would be not to login from an open wireless connection like at airports, cafes etc.

Yes, correct. But it should be noted that WEP encrypted wireless connection are crap anyhow (though they're finally seeming to die away). Then there are various generations of WPA encryptions with added security, I believe WPA with AES connection is the most secure (and in a few years the other WPA encryptions won't be possible anymore on new sold devices).

We're aware of the issue and discussing appropriate measures. For now I advise everyone not to login through a wireless connection, if possible. To be sure you're doing this right:

1. Connect a lan-cable to your laptop, computer or other computing device. You should automatically connect, if not, connect manually through this.
2. Disconnect from your wireless connection.
3. Login to Revleft.
4. You can now safely reconnect to your wireless and disconnect your lan-cable.

For clarity's sake: You're even at risk when you're simply accessing Revleft after your session expired and your browser resends out a cookie to auto-login (if you have auto-login enabled).

Sorry for the inconvenience.

You're actually also vulnerable even if you're already authenticated. Though you aren't sending your password over an unencrypted connection, you're still sending cookies with your session info every time you access revleft. Someone else can intercept, copy and reuse them to access revleft as you, without knowing your password.

Also, non-wireless connections are vulnerable too, but to a lesser extent. Login information can still be intercepted at every computer between the revleft server and your own. In my case, there are 16 computers between mine and the revleft server, and they can all intercept and even modify what I send to revleft, and what revleft sends to me.
The above actually also applies for encrypted wireless connections, because the connection between the gateway (where your wireless network connects with the internet) and revleft is still unencrypted.

Also, non-wireless connections are vulnerable too, but to a lesser extent. Login information can still be intercepted at every computer between the revleft server and your own. In my case, there are 16 computers between mine and the revleft server, and they can all intercept and even modify what I send to revleft, and what revleft sends to me.

How do you check that? :p

How do you check that? :p

traceroute.
Basically what it does is send out a ping packet to revleft, with a 'time to live', which says how many computers it can go through before stopping. The TTL is decreased at every computer it goes through and when it reaches 0, it send something back. So traceroute sends a ping with TTL 1, then one with TTL 2, etc until it reaches revleft. In the process you get to see every hop inbetween.

Yeah, I don't generally care about a 'facebook' type page being hijacked. I hope they have better luck with my friends than I do.

In the event that I post out of character it's because something like this has happened.

No, I'm not planning to troll.

No, the correct advice would be not to login from an open wireless connection like at airports, cafes etc.

what about mobile devices, like i-phones and blackberries?

Figures I would discover this at my university library on the university wifi network....

what about mobile devices, like i-phones and blackberries?
Same deal. It's basically the same mechanism.

An addition: vbulletin does not submit the password in clear text, but encrypted by default (MD5).

But the exploit hasn't anything to do with stealing passwords anyway, so the topic title is misleading. It's about "session hijacking" which is about stealing the login cookie, not the password.

An addition: vbulletin does not submit the password in clear text, but encrypted by default (MD5).

But the exploit hasn't anything to do with stealing passwords anyway, so the topic title is misleading. It's about "session hijacking" which is about stealing the login cookie, not the password.

Yeah, this is correct, but it at least gets people's attention and it is a serious issue, so it's worth the little misleading :p

Is this only concerning Firefox? Or IE too?

Opera +1

Firefox 0

:cool:

Is this only concerning Firefox? Or IE too?
Th exploit can be executed regardless of browser or even operating system. The plugin to execute the exploit only works on firefox. But I don't see why you'd want to install it unless you were some devious RAANista bent on destroying civilization.

Opera +1

Firefox 0

:cool:

As El Vagoneta it has nothing to do with the browser that is used. The session exploit can be done using any program really. A simple bashscript would even do.

Th exploit can be executed regardless of browser or even operating system. The plugin to execute the exploit only works on firefox. But I don't see why you'd want to install it unless you were some devious RAANista bent on destroying civilization.
Thanks. I'm still not concerned about it though.