Firesheep cookie-jacking tool triggers arms race
The response to the Firesheep plug-in for Firefox continues to be huge because the tool is so easy to operate, and because numerous services and users are still vulnerable. Firesheep allows attackers to access the accounts of other users on public networks. The counter at GitHub.com has so far registered more than 678,000 downloads.
Meanwhile, security researchers are trying to find ways of detecting, preventing, or refining Firesheep attacks. Security firm Zscaler has released BlackSheep, a Firefox plug-in which alerts users in case of an attack. The plug-in sends bogus cookies into the network and monitors whether someone attempts to use such a cookie to access a web page. If an attempt is detected, it means that someone on the network is using Firesheep or a similar tool. BlackSheep will respond by displaying an alert which includes the attacker's IP address in the user's browser. BlackSheep is based on the source code of Firesheep.
Zscaler says that BlackSheep currently works under Windows and Mac OS X, and that a Linux version is soon to be released. Under Windows, the WinPcap network library needs to be installed to run the tool. However, WinPcap doesn't support all available Wi-Fi drivers, which means that some Windows users can't use BlackSheep in Wi-Fi networks. In a post on his Twitter account, Firesheep developer Eric Butler has said that BlackSheep is "not a solution" as attackers could easily hide themselves by using VPN or other tools.
Vendor Antago, on the other hand, has presented simple instructions on how to use Firesheep to collect cookies in switched networks. By default, Firesheep has so far been limited to shared transmission media such as unencrypted Wi-Fi networks or networks where everyone uses the same key. Such networks allow every user to read all transmitted packets.
In wired, switched networks, users can normally see only their own data traffic, but not that of other network users. However, ARP spoofing allows attackers to redirect other users' PC traffic via their own PCs (MiTM) by manipulating other systems' ARP cache and Mac-to-IP address resolution.
Antago demonstrates how to combine a freely available ARP spoofing tool with a small Windows program and Firefox. Once the system is set up, attackers can read a specific PC's data traffic and collect cookies at the click of a button. While this attack type isn't new, it is easily implemented even by inexperienced users. It is likely that an increasing number of attempted attacks using Firesheep will soon be observed in corporate networks. Antago say they released the instructions to prompt web sites, such as Facebook, to increase their page security (sooner).
Microsoft has said it plans to switch its email services to SSL before the end of the year, and Facebook wants to do so within the next few months.
- Firefox extension steals Facebook, Twitter, etc. sessions, a report from The H.