[url=http://www.hardocp.com/news/2010/10/25/session_hijacking_via_firefox_extention]Source[/url]
[release]Want to know just how serious session sidejacking is? [url=http://codebutler.com/firesheep]Read this[/url] and you’ll know.
[B]Firesheep[/B]
When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a "cookie" which is used by your browser for all subsequent requests.
It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.
This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new "privacy" features in an endless attempt to quell the screams of unhappy users, but what's the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.
Today at [url=http://sandiego.toorcon.org/]Toorcon 12[/url] I announced the release of [url=http://codebutler.github.com/firesheep]Firesheep[/url], a Firefox extension designed to demonstrate just how serious this problem is.
After installing the extension you'll see a new sidebar. Connect to any busy open wifi network and click the big "Start Capturing" button. Then wait.
[img]http://imgur.com/ICuLP.png[/img]
As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed:
[img]http://imgur.com/dH13S.png[/img]
Double-click on someone, and you're instantly logged in as them.
[img]http://imgur.com/loD0Q.png[/img]
That's it.
[url=http://codebutler.github.com/firesheep]Firesheep[/url] is free, open source, and is available now for Mac OS X and Windows. Linux support is on the way.
Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.[/release]
Interesting... pretty interesting and scary at the same time... will FP implement some kind of solution against this??
Brb ruining neighbors lives.
The 6 unsecured wifi networks within range mean I am about to have a LOT of fun
[quote]Connect to any busy open wifi network and click the big "Start Capturing" button. Then wait.[/quote]
Why you shouldn't use open Wi-fi
BRB laptop
[editline]25th October 2010[/editline]
gonna test this out with my own connection
Oh shit, is it really that easy? :v:
[QUOTE=WeekendWarrior;25642593]Why you shouldn't use open Wi-fi[/QUOTE]
Common sense isn't that common, my friend :v:
If most people were tech-savvy like you or I, stuff like this wouldn't even have a point in the first place...
University open network, here I come!
£5 says firesheep also contains a rootkit that will be used to make an article in a few months time about how anyone will try to spy on their neighbours
[QUOTE=Pretiacruento;25642654]Common sense isn't that common, my friend :v:
If most people were tech-savvy like you or I, stuff like this wouldn't even have a point in the first place...[/QUOTE]
If only. The amount of open networks I can find in a day is shocking, seems like people ask for this to happen.
I can now pretend to be a little girl, my life is complete.
D'ohohoho school WiFi.
[QUOTE=ravioolz;25643019]D'ohohoho school WiFi.[/QUOTE]
My school's network is password protected. But one look in the network settings got me the WEP key.
hello Starbucks
Oh I'm gonna have some fun at University tomorrow :smug:
there's only like 1 open wifi spot near me and as far as I can tell, noone ever uses it apart from me occasionally
this is gonna be fun at uni lol
Neighbours spying spying neighbours
Tomorrow's going to be a good day in double free in school.
Along with my wireshark experiments.
Starbucks (and hipsters) here I come.
Or maybe a Best Buy...
I'm pretty sure it'll be massively illegal for you to 'have fun' with anyone's accounts you get through this.
Finally, revenge for all the arguing my neighbors have been doing.
[editline]26th October 2010[/editline]
[QUOTE=SCopE5000;25645353]I'm pretty sure it'll be massively illegal for you to 'have fun' with anyone's accounts you get through this.[/QUOTE]
Obviously it depends on how much "fun" you have.
[QUOTE=WeekendWarrior;25642593]Why you shouldn't use open Wi-fi[/QUOTE]
WEP is no better.
In Europe if you leave your door unlocked the police have to get an eviction notice.
Leave your wifi unlocked? Beurocratic nightmare.
[QUOTE=Pretiacruento;25642536]
Interesting... pretty interesting and scary at the same time... will FP implement some kind of solution against this??[/QUOTE]
Is your Facepunch account really that valuable to you?
[QUOTE=SCopE5000;25645353]I'm pretty sure it'll be massively illegal for you to 'have fun' with anyone's accounts you get through this.[/QUOTE]
I am pretty sure they can't catch you. There is no ip or anything, so how will they know it was you?
I don't see a sidebar after installing it.
[editline]26th October 2010[/editline]
nvm it's working. nice.
Holy shit, my town in Tennessee has free wifi. It's rather slow at 200 KBps, but still, free.
[QUOTE=wolfalt;25645801]WEP is no better.[/QUOTE]
[url]http://www.aircrack-ng.org/[/url] :v:
-snip- nvm
Sorry, you need to Log In to post a reply to this thread.
