• You are here:
  • News
  • 2010
  • Facebook Snoop Tool

Facebook Snoop Tool

Nik Barron - www.virus.org - 15 November 2010Security

Scathing attack on poor security "Web 2.0" sites

At the recent Toorcon security conference, security researcher Eric  Butler presented a scathing attack on the poor security of many "Web  2.0" sites.

The root of the problem is the tendency to protect only the initial  password exchange with SSL encrpytion, but then use a time-limited  session key or cookie to authenticate all future access. By intercepting  the unencrypted session data it is possible to impersonate the user and  access their account. Sites vulnerable to this sort of attack include  big names like Hotmail, Yahoo, Facebook and Twitter. The tool has now  been downloaded over half a million times.

Such "session stealing" or "sidejacking" attacks are nothing new in the  security community, indeed many commentators have bemoaned the lack of  "always on" encryption and poor security from sites like Facebook, but  Butler decided to simplify the attack and released Firesheep, a Firefox  plugin that makes session hijacking a point and click affair.

The release of Firesheep has certainly been a wakeup call to many of  the vendors affected; Microsoft have already enabled SSL for Hotmail and  rumour has it that Facebook are planning to make it the default  connection option (most Facebook users are probably unaware that SSL  protection for Facebook is already available, just not the default  option). There's even a number of tools available to warn if someone is  using it on your network, or confuse it by sending out bogus connection  attempts (well intentioned but possibly illegal as a low-grade denial of  service attack).

However it has also led to questions about the ethics of releasing such  a tool. While it is definitely true that a "point and click" tool can  work wonders for highlighting security issues (indeed I was working on a  similar Facebook proof-of-concept tool myself), providing full control  over other users' accounts is not necessary to prove there is a vulnerability: simply identifying which users' credentials had been  seen, perhaps with a copy of their profile picture or last post, would  probably be as effective and a lot less intrusive. Butler is  unapologetic in his blog, suggesting that it would not turn good people  evil. This may be true, but it would certainly make life a lot easier  for dumb evil people wanting to hack Facebook accounts.

In the meantime existing Firefox users can mitigate the problems  somewhat by using the EFF's "HTTPS Everywhere" plugin, which  unobtrusively redirects unencrypted requests to sites such as Facebook  to the approriate SSL site. Many corporate antivirus products will  detect Firesheep as a potentially unwanted application, allowing it to  be blocked if required.


More information:   SCMagazine and here  www.eff.org and here www.digitalsociety.org