So apparently this is old news for some, but I only recently learned about Firesheep in a web security class. If you’re unfamiliar with the program, it’s a Firefox extension that allows you to steal the accounts (on many popular websites) of other users on your network! Of course, it only works if the network and website are unencrypted — in fact, the program’s primary purpose is ostensibly to raise awareness of the dangers of unencrypted network communication.
To use it, all you need to do is install it into Firefox. You then have the option of opening the Firesheep sidebar. Once the “Start Capturing” button is clicked, anyone else on your network who is accessing Facebook, Twitter, Yahoo! Mail, or any number of other sites will appear in the sidebar. From there, just double click on that entry, and congratulations, you’re now that person!
Watch as I magically become the administrator of this blog! Oh, wait...
And yes, it’s that simple. Since it works best on unencrypted wireless networks, you could wreak havoc pretty easily if you felt like it.
So how does it work? When your computer is connected to a network, a lot of information reaches your computer that isn’t meant for you, but for other people on the network. This is especially common in wireless networks, since everyone’s data is flying everywhere. Because of this, it’s possible to simply “listen in” on the information hitting your computer that isn’t targeted at you, thereby grabbing raw data “packets” from other people.
However, what does one do with the packets? Several programs (such as WireShark) exist that allow you to graphically view the packets, but if you wanted to, say, log onto someone else’s Facebook account, you’d have to do a lot of extra work.
See, websites like Facebook are encrypted when you log on (to protect your password), but once you’re logged in, encryption is no longer enabled, and your identity is verified by a random number that Facebook hands your web browser each time you log in. In theory, no one else knows the number, so I can’t just say I’m you and defriend everyone. However, with packet sniffing, I can figure out the number, thus tricking Facebook into thinking that my computer is your computer.
The magic of Firesheep is that it automates this entire process, so I can just click and go, without poking through any lists packets and analyzing them. Perhaps I’m wrong, but this strikes me as the very first example of usable hacking — a hacking tool so easy to use that anyone who knows how to browse the internet could use it.
Recent Comments