[Owasp-Malaysia] Fwd: [apwg] Website Sidejacking

Muhammad Najmi Ahmad Zabidi najmi.zabidi at gmail.com
Wed Oct 27 19:14:18 EDT 2010

---------- Forwarded message ----------
From: Najmi <najmi at kict.iiu.edu.my>

----- Forwarded message -----
From: "Tim Lott" <tlott at search.org>
Date: Thu, Oct 28, 2010 1:04 am
Subject: [apwg] Website Sidejacking
To: "apwg at members.apwg.org" <apwg at members.apwg.org>

Apologize for the cross posting

Many of you have probably heard in the news about the new add-on for Firefox
called Firesheep. This add-on makes it incredibly easy to sidejack
non-‘HTTPS’ log in sites (for example Facebook and Twitter) if you connect
to them over an open wireless network. While the ability to sidejack is
nothing new this add-on makes it feasible for anyone to do it with one
click. No programming or “hacker skills” are needed. As of this morning this
add-on has been downloaded over 312,000 times and has only been available
since Sunday.

We know many of you have personal Facebook accounts and wanted to get this
information to you as soon as possible. The takeovers can occur if you
connect to an open wireless network (such as a coffee shop, the airport, or
a hotel) and then log in to your accounts. All Internet browsers and mobile
Internet browsers as well as Facebook and Twitter apps for iPhone and iPad
are susceptible to this vulnerability. In Facebook the sidejackers can
access all areas of your profile, send messages as you, intercept chat
messages, read Facebook emails and change privacy settings, but the one
thing that they are unable to do is to change your password. In Twitter the
sidejackers can tweet as you, send direct messages as you, view all of your
twitter direct messages and can change certain setting including deleting
the current phone number and adding a new one. Other websites are also
affected, but not to this degree of vulnerability. The developer states that
he will be adding more websites soon. The complete list of websites can be
found at http://github.com/codebutler/firesheep/wiki/Handlers.

We have tested this add-on using Facebook, Twitter, Google, Yahoo,
Foursquare, Tumblr, Yelp, and Amazon. Each website was able to be accessed
with varying levels of success. For example in Amazon you can view the
Wishlist, but not make purchases or change settings. In Yahoo you can
preview the most recent email, but not read the full body and you can view
the yahoo messenger contact list, but not chat. In Google you can view the
full contact list (including phone contacts if the Gmail account is synced
to the Droid), but not view emails or change settings. By far the most
functionality is gained through Facebook, Twitter, Foursquare and Tumblr in
our testing.

The best way to protect yourself from this attack is to not connect to open
wireless and log in to any accounts. However we know that this is not always
feasible. If you are going to connect to open wireless networks and log in
to these accounts use an ‘HTTPS’ log in (for example type https:\\
facebook.com rather than http:\\facebook.com). If you use the Firefox
Internet browser there is an add-on you can download that will automatically
direct you to all ‘HTTPS’ log in’s so you don’t have to remember. It can be
downloaded at https://www.eff.org/https-everywhere. We have not done any
extensive testing of this add-on and users download it at their own risk.
‘HTTPS’ log ins are not possible with iPhone and iPad apps so there is no
way to protect yourself when using those devices connected to open wireless.
If you connect on these devices through the 3G connection you are protected.

If you have open wireless at your residence you are also susceptible. Once
again we know that this is not a new concept for open wireless networks.
Hackers have always had the ability to obtain this information. The scary
part is how incredibly easy Firesheep makes this attack for the everyday
computer user. It is literally one click to obtain this information. In
addition this add-on combined with anyone who has hacker skills could easily
gain even more information about users.

It is important for law enforcement to know not only for your personal
safety, but also for the implications in cases involving stalking,
cyber-bullying, harassment, blackmail, identity theft, etc. Because the
sidejacking takes place on an open wireless network it would extremely
difficult to locate the person who actually posted the information.

If you have any questions don’t hesitate to contact myself or Lauren Wagner
(lauren at search.org) as we have been conducting tests on this vulnerability
and will continue to do so.


*Timothy M. Lott *

High Tech Crime Training Specialist

SEARCH, The National Consortium for Justice Information and Statistics

Desk: 916.392.2550, ext. 209

Cell:   916.205.5213

Email: tlott at search.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-malaysia/attachments/20101028/09fca520/attachment.html 

More information about the Owasp-Malaysia mailing list