Author Topic: Firesheep and Session Hijacking Hijinks  (Read 683 times)

loki

  • **
  • Posts: 125
  • E-points: +2/-2
    • View Profile
Firesheep and Session Hijacking Hijinks
« on: October 25, 2010, 07:06:24 pm »
http://codebutler.com/firesheep

New, easy-to-use Firefox extension that lets anyone with 2 brain cells hijack sessions on open Wifi networks. Tried it locally on my laptop and it works. It's easy to extend using JS, just need to specify some parameters like domain, cookie IDs, etc. Also is capable of processing packets for sites like Wordpress. Pretty interesting that at least FA has a SSL login while a huge site like Facebook does not. (not that it's hard to set up to do mind you)

The potential for exploitation is pretty great - already has over 80k+ downloads.. :D

Jim Demintia

  • Postcount ate Whippany, NJ
  • ****
  • Posts: 628
  • E-points: +24/-6
  • Deflator Mouse
    • View Profile
Re: Firesheep and Session Hijacking Hijinks
« Reply #1 on: October 26, 2010, 02:28:11 pm »
FA has SSL login- so your password is protected. As far as I know, it'd still be possible to hijack the session, especially on an open wifi network where you share an IP with the target, like that say at a hotel hosting your friendly local furry convention.

There might also be a possibility to wreak havoc via Flash- the script security settings on FA are not what they should be and theoretically one could interact with FA using Javascript embedded in Flash- accessing everything that a user viewing the submission could access.

I had a fairly elaborate idea of how this might work planned out in my head when I was bored at work- I have no idea if any of it is possible but with FA who knows.

Also, pretty sure that with Wireshark and Linux, you can access a lot more stuff, say, things on networks you're not signed on to but can still decrypt. For example, unencrypted networks with MAC access controls, WEP networks, or WPA-PSK networks with low password quality. I'd imagine all that extension does is kick your wireless card into promiscuous mode, which may or may not yield the desired results, especially on Windows. As far as I know, passive monitoring of the radio space around you requires driver support, something only Linux and maybe some BSDs have.
Can it be this sad design
Could be the very same
A wooly man without a face
And a beast without a name

Pi

  • POOR IMPULSE CONTROL
  • Postcount ate Whippany, NJ
  • ****
  • Posts: 614
  • E-points: +40/-10
  • <blink>yes hello</blink>
    • View Profile
    • Clan Spum userpage
Re: Firesheep and Session Hijacking Hijinks
« Reply #2 on: October 26, 2010, 04:18:29 pm »
FA has SSL login- so your password is protected. As far as I know, it'd still be possible to hijack the session, especially on an open wifi network where you share an IP with the target, like that say at a hotel hosting your friendly local furry convention.

FA doesn't have SSL protecting every place it should.

Also, the only reason they bothered to implement an SSL login page is because Dragoneer got his password horked over an open wifi connection. They wouldn't care otherwise.
"we did farts.  now we do sperm.  we are cutting edge." — Theo DeRaadt

loki

  • **
  • Posts: 125
  • E-points: +2/-2
    • View Profile
Re: Firesheep and Session Hijacking Hijinks
« Reply #3 on: October 26, 2010, 04:34:46 pm »
Yea, I think the guy who made was arguing for end-to-end SSL for everything; the login cookies aren't encrypted for FA and probably aren't even HTTPOnly at the very least. :X