Firefox Add-On Can Hijack Facebook, Twitter

[exfileme]

A freelance software developer has created a Firefox plug-in that allows the user to scan a network and steal cookies for hijacking user accounts.

Firefox Add-On Can Hijack Facebook, Twitter : Read more

 

[devorakman112]

well, you can bet that it will get even more attention now that it's here on tom's. its unbelieveable just how poor securty is sometimes.

 

[chickenhoagie]

Ok so this only happens to wireless networks with no security? Then i guess i have nothing to worry about.

 

[rpgplayer]

wow great way to really relate your angst against society, post anonymously on a tech news site that has absolutely nothing to do with any kind of racial/ethnic content

instead of +1 you'll get a + douche

 

[Lewis57]

Hahaha oh wow, who white knighted, I seen this on 4chan /g/ a couple of hours ago. Or yesterday, I don't know, everyday is the same.

 

[2real]

[citation][nom]Lewis57[/nom]Hahaha oh wow, who white knighted, I seen this on 4chan /g/ a couple of hours ago. Or yesterday, I don't know, everyday is the same.[/citation]
this shit has been on 4chan for weeks

 

[orionantares]

[citation][nom]chickenhoagie[/nom]Ok so this only happens to wireless networks with no security? Then i guess i have nothing to worry about.[/citation]

Could still happen on a network with security if the person using it has the network key.

 

[Stryter]

Well, I won't be logging into my university's network any time soon. I'm gonna stay nice and isolated on my fortified desktop lol

 

[2real]

[citation][nom]Stryter[/nom]Well, I won't be logging into my university's network any time soon. I'm gonna stay nice and isolated on my fortified desktop lol[/citation]
if you're caught using that on a school campus and you're a student or faculty... you'd be fired/expelled

 

[Strider-Hiryu_79]

Don't worry facebook fans. Have faith in knowing that facebook will restore...cough...add...restore...cough..add more privacy filter settings soon to protect from such things. Just watch the social network movie and everything will be alright. /sarcasm

 

[toastninja17]

How do you install..

 

[Shadow703793]

[citation][nom]chickenhoagie[/nom]Ok so this only happens to wireless networks with no security? Then i guess i have nothing to worry about.[/citation]
Fail..... It dosen't take much to break WEP. And once WEP is broken this works the same way.

FYI: Most routers use WEP by default or no security at all. I know for a fact that most Verizon routers use WEP.

 

[Shadow703793]

[citation][nom]2real[/nom]if you're caught using that on a school campus and you're a student or faculty... you'd be fired/expelled[/citation]
Most schools have 2 networks. A open one with out security and a internal one that requires student/faculty ID. Many people use the open one due to ease of use and speed. At least this is the case at the schools I'v been to. It's impossible to trace you on the non-secured network.

 

[eddieroolz]

I'll have to be careful on my university network now. Don't want my passwords to be stolen.

 

[chickenhoagie]

[citation][nom]Shadow703793[/nom]Fail..... It dosen't take much to break WEP. And once WEP is broken this works the same way.FYI: Most routers use WEP by default or no security at all. I know for a fact that most Verizon routers use WEP.[/citation]
I use WPA2. hence why i say I myself, don't have to worry about this problem.

However I do still wonder how this would work if it happened to be over the wire, if say thousands were connected in a corporate building on the same network.

 

[Guest]

To be clear, what this addon does is grab another user's cookie and force your Firefox to use it - thereby allowing you access to Facebook and any of the other supported sites as if you had logged in as them. Specifically, Firesheep works with unencrypted wireless connections. However, the point that Eric Butler is trying to make with Firesheep is not just that you shouldn't use an unsecured wireless network. The point is that Facebook and the other sites have a very poor security model that allows this to happen.

So all of you that say "I use WPA" or "I don't use wireless, I use Ethernet" - you are missing the point. Anyone who has access and control of the routers between your computer and the servers can effectively do the same thing that Firesheep is doing.

Firesheep just makes it easy for the masses to do it.

 

[mihaimm]

WPA2 is not that secure as most seem to think and it's vulnerable to brute force attacks (obviously unless you use a random generated password of a considerable length - I know I don't and I'm one actually aware of the dangers).
This attack also works on any non-switched LAN network out of the box. A hub based network is essentially exactly like an open wifi (it's just over the wire).
Using ARP poisoning you can do this in any LAN, even switched. The only protection against it would be anti-ARP poisoning software on the client machines.

So... the ONLY effective protection is to use encrypted protocols (https) during the entire communication with the service you're connecting to. I know I'm not logging in to Facebook any time soon.....

 

[Micropat]

Could someone answer me this:
If my facebook account is hacked by this, is the cookie still valid after I log out of FB or does the hacker lose access once I log out?

 

[orionantares]

[citation][nom]mihaimm[/nom]WPA2 is not that secure as most seem to think and it's vulnerable to brute force attacks (obviously unless you use a random generated password of a considerable length - I know I don't and I'm one actually aware of the dangers). [/citation]

WPA2 can be brute forced so the most secure option for WiFi would be WPA2 combined with limiting access by specific MAC addresses. Just don't be dumb about your device and SSID naming and about connecting your device to "open" WiFi connections and you shouldn't have a problem preventing people from figuring out one of your device MAC addresses for spoofing.

And of course don't use anything that's not encrypted over an "open" WiFi channel as is the moral of the article.

 

[Guest]

"And of course don't use anything that's not encrypted over an "open" WiFi channel as is the moral of the article." - NO! That is NOT the point of the article!

The point of the article is that Facebook and other sites should use SSL to encrypt all of their traffic. This is a SERVER-BASED issue, not a "what is the very last segment of my internet connection issue"!!