Saturday, November 6, 2010

Attack Clients on Open Wifi - Firesheep (Part 2)

Looks like the 15 minutes of fame for Firesheep is getting extended...

Sites you can pwn using Firesheep:
  • Facebook
  • Twitter
  • Flickr
  • Yahoo! Mail
  • Windows Live
  • Hotmail
  • (not GMail)
  • Slashdot
  • Amazon
  • Newegg
  • Home Depot
  • United Airlines
  • Office Max
  • Wordpress (when not using their optional SSL)
  • More coming soon!
Why is it so easy for mass pwnage?  A lot of sites, including most social networking sites, use HTTPS only for the login form.  After that, it's all good ol' HTTP.  Also, in general, its very difficult to have persistent HTTPS, or end-to-end encryption.  So, for this type of "session-hijack" you don't even need the user/pass of the victim.  Essentially the attacker can impersonate the victim, thus taking control of the account.
In truth, Wireshark did this ages ago via the little-known-method of copy/paste :)  Turn the clock back to the beginnings of 802.11, war-driving, wep-cracking, and this type of attack was still valid.  Why all the discussion now?  Because instead of copy/paste, you get a nice little GUI and employ the uber-powerful double-click!
What does all this mean?  Whenever an attack gets easier, it tends to become more popular.  You can bet top dollar that going forward, at Starbucks, Safeways, Hotels, or wherever there is free open wifi, there will be someone running Firesheep.  Hint:  look for the script kiddie, social outcast, or the dude laughing so hard he looks like he may shit himself.
Few words of caution if you intend on "testing" this out in your neighborhood:
  • People are already doing this, so you're behind the times (see above link)
  • Most owners of open-wifi at commercial establishments have ToS (terms of service), you are likely violating those terms of service.  However, those ToS also go both ways, informing users that there can be no expectation of privacy, or liability for the store/wifi owner, should damage occur.
  • In many countries/states/counties/cities, it is illegal to sniff networks for user information unless said users authorize the action.  Check your local laws. IANAL
To finish out this post I think I'll add a short list of additional "connections/networks/protocols" that are vulnerable to Firesheep (yeah so I interchanged words that shouldn't be interchanged, sue me)
  • POP3 Mail
  • SMTP Mail
  • IMAP Mail
  • FTP
Hint:  SSL/TLS, SSH, and VPN are your friends!  Stay tuned for Part 3 that will describe how to beat Firesheep!


  1. Looking forward to part 3, beating Firesheep is something I have more use for than using Firesheep.

  2. wow, didn't know that it could be so easy. Great blog, you've got a new follower!

  3. very nice post man, great job

  4. I love the illustrative pics in ur blog. Makes me giggle.

  5. Great info, keeping an eye out for part 3!

  6. wow, that's some great text mixed with great image. nice post, keep up the good work man !

  7. Great images, and interesting content, you have a new follower here as well!

  8. yup i been using it for awhile i like it lol change my friends sex to female alot....

  9. Man, this is crazy... now if only I cared about hacking someone's facebook...

  10. Too bad I don't have anything to hack, or this would be really useful.

  11. Nice stuff, liking the layout of your blog, suits your content well

  12. sadly this dosnt work on my campus's wifi, damn they are smart|: