Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Firesheep - Firefox Add-On Hijacks Twitter, Facebook, Google, Yahoo, others

  • 26-10-2010 1:54pm
    #1
    Registered Users, Registered Users 2 Posts: 10,288 ✭✭✭✭


    http://codebutler.com/firesheep

    Anyone try it out yet?

    I've already managed to get logons from some of the guys here in work.
    Mind, I did tell them so no harm done but goes to show you just how easy it is now to get them.
    Be careful what ye use on public wifi

    Maybe Terry can use this and with his wifi-thief neighbors :D

    Anyway, more info here.

    Do ye think it was a good idea for this to be released?


Comments

  • Registered Users, Registered Users 2 Posts: 2,635 ✭✭✭token56


    Very interesting, I can't try it right now but I'll be trying it later on anyway.


  • Registered Users, Registered Users 2 Posts: 8,758 ✭✭✭Stercus Accidit


    Cue 4chan oriented chaos


  • Registered Users, Registered Users 2 Posts: 19,976 ✭✭✭✭humanji


    I can't check the links from here. What exactly does it do? Is it something you have to put on your computer or is it something that can use to remotely access computers?


  • Registered Users, Registered Users 2 Posts: 2,941 ✭✭✭thebigbiffo


    scary. dont like the idea that this thing's out there


  • Registered Users, Registered Users 2 Posts: 19,323 ✭✭✭✭MrStuffins


    I'm kinda confused.

    Does it allow you to hack in from anywhere, or does it remember the details when people use your computer to log in?


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 10,288 ✭✭✭✭Standard Toaster


    humanji wrote: »
    I can't check the links from here. What exactly does it do? Is it something you have to put on your computer or is it something that can use to remotely access computers?
    MrStuffins wrote: »
    I'm kinda confused.

    Does it allow you to hack in from anywhere, or does it remember the details when people use your computer to log in?
    Firesheep adds a sidebar to Mozilla's Firefox browser that shows when anyone on an open ... Wi-Fi network visits an insecure site. ... [It] illustrates the wide-ranging problem of unencrypted sites and public networks.

    It basicilly captures cookies sent over insecure connection. (eg not https)

    Windows users will need to install WinpCap too.


  • Registered Users, Registered Users 2 Posts: 19,323 ✭✭✭✭MrStuffins


    It basicilly captures cookies sent over insecure connection. (eg not https)

    Windows users will need to install WinpCap too.

    Ah, so this is Terry's answer to his neighbours stealing his internet?


  • Registered Users, Registered Users 2 Posts: 81,220 ✭✭✭✭biko


    More a computer/browser issue imo.
    We'll see.


  • Registered Users, Registered Users 2 Posts: 19,323 ✭✭✭✭MrStuffins


    So, i'm playing the Devil's Advotard here, how does this work exactly? I download it and press "Capture" and random cookie float into my browser? Or can i navigate to a page and steal their cookie?

    I do really like cookies by the way.


  • Registered Users, Registered Users 2 Posts: 8,193 ✭✭✭Wompa1


    It's already been asked but from the link...it does look like you don't need to have the person log in first..it's not a key logger or anything. It looks like you double click on the your friend on facebook and it gets the login credentials.. I am doing that this evening for sure!!


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 19,323 ✭✭✭✭MrStuffins


    Ah, i just read the developer's blog. Very good stuff........... i think


  • Registered Users, Registered Users 2 Posts: 2,823 ✭✭✭neacy69


    this only works if you are connected to an unsecured wifi network (or one secured with a weak security algorithm called wep)...an example of one of these would be in a cafe or somewhere that dosent have a password to connect to the wi-fi

    it then captures the information sent over the wifi network by other users which contains login information for sites which are not secured properly such as twitter/facebook....
    If a site is not secure, it keeps track of you through a cookie (more formally referenced as a session) which contains identifying information for that website. The tool effectively grabs these cookies and lets you masquerade as the user.

    its still limited tho

    There's no question that Firesheep highlights an important Web browsing security flaw that could expose your account to a malicious hacker. But it's also important to keep in mind that sidejacking has its limits. Using Firesheep is not likely to expose your user password. So a hacker may be able to use Firesheep to take action on your behalf such as send an e-mail, post a status update, or send out a tweet. But it's unlikely that Firesheep could be used to steal your account by switching your password on you. Unless, of course, you are using a service that lets you change your password without entering the current one--a rare occurrence these days.


  • Registered Users, Registered Users 2 Posts: 10,906 ✭✭✭✭28064212


    Wompa1 wrote: »
    It's already been asked but from the link...it does look like you don't need to have the person log in first..it's not a key logger or anything. It looks like you double click on the your friend on facebook and it gets the login credentials.. I am doing that this evening for sure!!
    No, the target has to log on (from their computer) while FireSheep is "capturing". A log-on site works like this:
    1. You visit the site (say facebook.com)
    2. Facebook requests you to log on with your username and password, which you send
    3. Facebook sends you an "authentication token", which you send back every time you visit another page

    The sending of the username and password is encrypted. The authentication token is not. So if you "grab" the token, you can send it to facebook to appear as the target.

    One thing that's not clear from the article: if I have the network password, will this attack work on a WPA2 network?

    Boardsie Enhancement Suite - a browser extension to make using Boards on desktop a better experience (includes full-width display, keyboard shortcuts, dark mode, and more). Now available through your browser's extension store.

    Firefox: https://addons.mozilla.org/addon/boardsie-enhancement-suite/

    Chrome/Edge/Opera: https://chromewebstore.google.com/detail/boardsie-enhancement-suit/bbgnmnfagihoohjkofdnofcfmkpdmmce



  • Closed Accounts Posts: 3,572 ✭✭✭msg11


    neacy69 wrote: »
    this only works if you are connected to an unsecured wifi network (or one secured with a weak security algorithm called wep)...an example of one of these would be in a cafe or somewhere that dosent have a password to connect to the wi-fi

    it then captures the information sent over the wifi network by other users which contains login information for sites which are not secured properly such as twitter/facebook....



    its still limited tho

    Sweet as, I can capture and hack myself :)


  • Moderators, Arts Moderators Posts: 35,731 Mod ✭✭✭✭pickarooney


    I failed to even hack my own account :(


  • Registered Users, Registered Users 2 Posts: 3,871 ✭✭✭Conor108


    Just installed a HTTPS-Everywhere firefox add-on. Forces sites that support it (Like Facebook) to use HTTPS instead of HTTP.

    By the way kids, Facebook has disabled chat when you use HTTPS. Bad buzz.

    I'll give Firesheep a go in college tomorrow:D


  • Registered Users, Registered Users 2 Posts: 30,472 ✭✭✭✭Ghost Train


    Would say any shared local network wired or wireless would be open to this sort of attack, not sure about the particulars of this program though

    website just says open wifi network


  • Registered Users, Registered Users 2 Posts: 7,778 ✭✭✭Big Pussy Bonpensiero


    Very good idea to release this software me thinks. Highlights a very serious problem and now hopefully it can be counter-acted.


  • Closed Accounts Posts: 3,572 ✭✭✭msg11


    THFC wrote: »
    Very good idea to release this software me thinks. Highlights a very serious problem and now hopefully it can be counter-acted.

    True, and it ain't too hard a fix either.


  • Registered Users, Registered Users 2 Posts: 81,220 ✭✭✭✭biko


    After Hours -> Tech


  • Advertisement
  • Closed Accounts Posts: 149 ✭✭nobeastsofierce


    Do the boards.ie webmasters have a fix in the pipes? I assume this hack will allow someone to capture the boards.ie cookie, and post messages as the user?


  • Closed Accounts Posts: 157 ✭✭nudist


    Do the boards.ie webmasters have a fix in the pipes? I assume this hack will allow someone to capture the boards.ie cookie, and post messages as the user?

    I would love it if boards did end to end ssl on all their accounts :)

    To be honest this addon isn't that hyped up as it is. All it does is script kiddie enable wireless man in the middle attacks on unsecured wifi.

    Its easy enough to counter-use wpa2 on wireless in combination with a vpn. So a wireless man in the middle attacker would have to get through 2 layers of encryption to get at your login cookie.

    Though ideally all sites should mandate ssl end to end sessions for their users. Whats stopping this-Cost?


  • Registered Users, Registered Users 2 Posts: 10,288 ✭✭✭✭Standard Toaster


    Do the boards.ie webmasters have a fix in the pipes? I assume this hack will allow someone to capture the boards.ie cookie, and post messages as the user?

    Add a custom website to firesheep and insert the below code:
    // Author:
    // Standard Toaster
    register({
      name: 'Boards',
      url: 'http://www.boards.ie/',
      domains: [ 'boards.ie' ],
      sessionCookieNames: [ 'bbsessionhash', 'bbpassword', 'bbuserid' ],
      identifyUser: function () {
        var resp = this.httpGet(this.siteUrl);
        this.userName = resp.body.querySelectorAll('a')[6].textContent;
    
      }
    });
    

    Restart capture to reload website list.
    Not sure I can pull the avatar as it's not on the main boards homepage when you log on.


Advertisement