Arsyan's Virtual Playground

Facebook Session Hijack Using Firesheep. SCARY!

2010-10-25 16:36:42

I didn't believe it at first. Until i tried it my self and beyond my eyes it worked! I came to a sudden struck of disbelief that i could actually view other people's Facebook account, Edit their Profile, Change Status, Change Description, Change Relationship Staus, Post things on their friends wall to cause misunderstanding between them, its seriously a scary thing. And i had witness it in front of my eyes.

The exploit is by Eric Butler called Firesheep. Quoting his blogpost regarding this matter.

It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

I kinda have a bit of understanding of what he explained on his blog, apparently it is a well known problem and surprisingly Facebook is unprotected in this case, and so does a lot more site in this world. Without further adue i downloaded the Firefox Extension and installed it on my Mac. Luckily enough i was in old town having food where there is public wifi. Immediately after i start capturing data. I got a few account listed down on the side.



These are the people who are logging in Facebook in the old town i was sitting and once i double clicked their profile i was immediately logged in as them on Facebook. Scary huh?



Not did i just able to see her Private Messages or her Notifications and such. I can do a lot more, it is as though im logging in as her account on my Mac and could change anything i want to. So i did a few harmless experiment to try and see if its possible. (Apologize to account owner, hope you revert your changes back.) Here are some of the possibilities that you can do:

1. Change Status & Short Description of themselves.


2. Change their Privacy Status


3. Change Interested in Men/Women


4. Change Relationship Status


5. Browse their Friends Telephone Number & Delete Friends


6. Post shit on their friends wall


7. Read their Inbox messages


...And alot more as you can imagine.

The only thing that you cant do is to Delete Account or Change Account Settings, which requires as additional re-type of their password which you wouldn't have known in the first place because it was never been openly transmitted through the public wifi. Remember, all you did just now using Firesheep was just hijacking the user's session, you dont know their passwords.



Hence, there's no way for you to delete the other person's account, hence in away you're still safe from loosing all your social life account but however things inside can still be deleted and altered. Its a scary thought knowing that this is possible in public wifi. This also captures your google account as you can see in the screenshot it captures my gmail account there, probably because im always logged on gmail thats why.

Now think of the possibilites of this thing can do, you're in a public place and you see this hot chick on her notebook logging in Facebook and you want to get to know her name, with this tool you can do so and u can start messaging her then. If you wanna take this to another stalker level, then logged in her account and look at her friends list and numbers call them up, and do whatever "Social Engineering" skills you have to obtain what you want. This is really the best tool for stalkers and social engineers.

Further research as i try is that i noticed that when i use my iPhone to login touch.facebook.com it doesnt seem to be capturing it but when i click on Full Site, then my named appeared as one in the captured list. And to my suprise, i discovered that it also captures Windows Live Session as well. And i was able to login their Hotmail account and read their emails... WHAT THE FUCKKKK ???????



From now on, i would urge my fellow friends to no longer use public wifi as this Firesheep tool has been built easily for others even a noob could know how to use it. So please be aware guys. Be careful. Surf Safe.

UPDATE:
Friendster not affected on Firesheep though same Cookie Session Hijacking concept still can be applied. Friendster is not affected because its not part of the watch list of Firesheep.