Monday, November 28, 2011

Facebook and Twitter WiFi privacy hole

Boy, howdy, how'd I miss this one:
Firesheep is an extension developed by Eric Butler for the Firefox web browser. The extension uses a packet sniffer to intercept unencrypted cookies from certain websites (such as Facebook and Twitter) as the cookies are transmitted over networks, exploiting session hijacking vulnerabilities. It shows the discovered identities on a sidebar displayed in the browser, and allows the user to instantly take on the log-in credentials of the user by double-clicking on the victim's name
Actually, I know exactly how I missed it - I was moving, and packing boxes rather than watching security stuff.But in any case, this is real:



This is nasty - basically, cookies passed from the web site to the browser are unencrypted and unauthenticated, so any Tom, Dick, or H4X0r sitting at Starbucks can snarf them out of the air via the open (public) WiFi.  Then, he simply goes to Facebook (or Twitter), presents your cookie, and is logged in as you.  Who do you want to be friends with today ....

In fact, this is nasty enough that Google changed GMail so that it only uses encrypted web (https) connections, which entirely fixes the issue.  Facebook added an option to require encryption, too - and all y'all should go turn this on (ignore the blather about "military grade" encryption):



But there's a catch.  It seems that Facebook does not require Apps to use this, so your session is reset to insecure when you play Farmville or take a poll or do whatever you whacky hipsters do there.  You'll even get a prompt to close your browser and log in with a new one, so the fix is incomplete.

And as far as I can tell, Twitter doesn't have a fix at all, so be careful tweeting @iPwnUl0nGt1m3 ....

The first video here has good advice, to install the httpseverywhere extension in Firefox.  The EFF are good folks (meaning you can trust their download), and the plugin forces Twitter and Facebook to use encrypted sessions which entirely removes your risk.

4 comments:

Brock Townsend said...

install the httpseverywhere extension in Firefox

Agreed. I've been using it for a few months along with Ghostery.

Old NFO said...

Another reason I stay off Facebook...

North said...

Facewhat?

Anonymous said...

Thanks. I use that fee wifi all the time for work. Color me clueless.